JustPaste.it - Share Text & Images the Easy Way

|---------------------| Building Rule: 2009245 -------- Hex Payload Start ---------- 54 63 6c 53 68 65 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2009285 -------- Hex Payload Start ---------- 53 53 53 53 53 43 53 43 53 ff d0 66 68 66 53 89 e1 95 68 a4 1a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009247 -------- Hex Payload Start ---------- d9 74 24 f4 5b 81 73 13 83 eb fc e2 f4 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008556 -------- Hex Payload Start ---------- 43 57 44 20 43 3a 5c 5c 57 49 4e 44 4f 57 53 5c 5c 73 79 73 74 65 6d 33 32 5c 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2000499 -------- Hex Payload Start ---------- 2f 43 4f 4d 31 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000500 -------- Hex Payload Start ---------- 2f 43 4f 4d 32 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000501 -------- Hex Payload Start ---------- 2f 43 4f 4d 33 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000502 -------- Hex Payload Start ---------- 2f 43 4f 4d 34 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000503 -------- Hex Payload Start ---------- 2f 4c 50 54 31 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000504 -------- Hex Payload Start ---------- 2f 4c 50 54 32 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000505 -------- Hex Payload Start ---------- 2f 4c 50 54 33 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000506 -------- Hex Payload Start ---------- 2f 4c 50 54 34 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000507 -------- Hex Payload Start ---------- 2f 41 55 58 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000508 -------- Hex Payload Start ---------- 2f 4e 55 4c 4c 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008559 -------- Hex Payload Start ---------- 23 0d 0a 23 20 54 68 69 73 20 69 73 20 61 20 73 61 6d 70 6c 65 20 48 4f 53 54 53 20 66 69 6c 65 20 75 73 65 64 20 62 79 20 4d 69 63 72 6f 73 6f 66 74 20 54 43 50 2f 49 50 20 66 6f 72 20 57 69 6e 64 6f 77 73 2e 0d 0a 23 0d 0a 23 20 54 68 69 73 20 66 69 6c 65 20 63 6f 6e 74 61 69 6e 73 20 74 68 65 20 6d 61 70 70 69 6e 67 73 20 6f 66 20 49 50 20 61 64 64 72 65 73 73 65 73 20 74 6f 20 68 6f 73 74 20 6e 61 6d 65 73 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002809 -------- Hex Payload Start ---------- 32 32 30 20 53 74 6e 79 46 74 70 64 20 30 77 6e 73 20 6a 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002810 -------- Hex Payload Start ---------- 32 32 30 20 52 65 70 74 69 6c 65 20 77 65 6c 63 6f 6d 65 73 20 79 6f 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002811 -------- Hex Payload Start ---------- 32 32 30 20 42 6f 74 20 53 65 72 76 65 72 20 28 57 69 6e 33 32 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003464 -------- Hex Payload Start ---------- 32 32 30 20 20 2d 2d 77 61 72 46 54 50 64 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003465 -------- Hex Payload Start ---------- 32 32 30 20 20 2d 2d 66 72 65 65 46 54 50 64 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007725 -------- Hex Payload Start ---------- 32 32 30 20 57 69 6e 46 74 70 64 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007726 -------- Hex Payload Start ---------- 32 32 30 20 53 74 6e 79 46 74 70 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009210 -------- Hex Payload Start ---------- 32 32 30 20 66 75 63 6b 46 74 70 64 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009211 -------- Hex Payload Start ---------- 32 32 30 20 4e 7a 6d 78 46 74 70 64 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2009579 -------- Hex Payload Start ---------- 73 74 64 61 70 69 5f 72 65 67 69 73 74 72 79 5f 63 72 65 61 74 65 5f 6b 65 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000345 -------- Hex Payload Start ---------- 4e 49 43 4b 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000347 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- &|#|\+|! content:"&"; |---------------------| Building Rule: 2000348 Parser failed - skipping rule |---------------------| Building Rule: 2000349 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 20 3a 2e 44 43 43 20 53 45 4e 44 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000350 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 20 3a 2e 44 43 43 20 43 48 41 54 20 63 68 61 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000351 -------- Hex Payload Start ---------- 4a 4f 49 4e 20 3a 20 23 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000352 -------- Hex Payload Start ---------- 55 53 45 52 48 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003535 -------- Hex Payload Start ---------- 72 35 37 73 68 65 6c 6c 20 2d 20 68 74 74 70 2d 73 68 65 6c 6c 20 62 79 20 52 53 54 2f 47 48 43 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007651 -------- Hex Payload Start ---------- 78 32 33 30 30 20 4c 6f 63 75 73 37 53 68 65 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2011667 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 300 |---------------------| Building Rule: 2011668 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2006417 -------- Hex Payload Start ---------- ff 53 4d 42 20 00 11 22 33 44 55 66 77 88 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008953 -------- Hex Payload Start ---------- 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 43 6f 70 79 72 69 67 68 74 20 31 39 38 35 2d 32 30 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 0a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- \/notify\/(single|mass)$ uricontent:"/notify/single"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> [72.20.18.2,72.20.18.3] any (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"POST"; http_method; content:"/notify/"; http_uri; uricontent:"/notify/single"; content:"defacer|3d|"; http_client_body; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity; sid:2001616; rev:13;) Parser failed - skipping rule |---------------------| Building Rule: 2002034 -------- Hex Payload Start ---------- 72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2003071 -------- Hex Payload Start ---------- 72 6f 6f 74 3a 2a 3a 30 3a 30 3a 20 3a 2f 72 6f 6f 74 3a 2f 62 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2003149 -------- Hex Payload Start ---------- 72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2003150 -------- Hex Payload Start ---------- 72 6f 6f 74 3a 2a 3a 30 3a 30 3a 20 3a 2f 72 6f 6f 74 3a 2f 62 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2010495 -------- Hex Payload Start ---------- 50 44 46 2d 74 68 69 73 2e 6d 65 64 69 61 2e 6e 65 77 50 6c 61 79 65 72 28 6e 75 6c 6c 20 75 74 69 6c 2e 70 72 69 6e 74 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010664 -------- Hex Payload Start ---------- 0d 0a 25 46 44 46 2d 2f 46 28 4a 61 76 61 53 63 72 69 70 74 3a --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted) content:"<OBJECT classid=clsid:E2883E8F-472F-4fb0-9522-AC9BF37916A70offer-ineligible"; |---------------------| Building Rule: 2010665 -------- Hex Payload Start ---------- 45 32 38 38 33 45 38 46 2d 34 37 32 46 2d 34 66 62 30 2d 39 35 32 32 2d 41 43 39 42 46 33 37 39 31 36 41 37 20 6f 66 66 65 72 2d 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 45 32 38 38 33 45 38 46 2d 34 37 32 46 2d 34 66 62 30 2d 39 35 32 32 2d 41 43 39 42 46 33 37 39 31 36 41 37 30 6f 66 66 65 72 2d 69 6e 65 6c 69 67 69 62 6c 65 --------- Hex Payload End ----------- name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22 NOT IMPL not _simple(av) in REPEATING CODES content:"name="DHL.zip""; |---------------------| Building Rule: 2010148 -------- Hex Payload Start ---------- 6e 61 6d 65 3d 22 44 48 4c 20 2e 7a 69 70 22 20 6e 61 6d 65 3d 22 44 48 4c 2e 7a 69 70 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010463 -------- Hex Payload Start ---------- 46 65 65 4c 43 6f 4d 7a 46 65 65 4c 43 6f 4d 7a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010968 -------- Hex Payload Start ---------- 50 44 46 2d 4c 61 75 6e 63 68 57 69 6e 2e 65 78 65 --------- Hex Payload End ----------- http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar content:"http: -J-jar -J\\\\0.0.0.0\\.jar"; |---------------------| Building Rule: 2011698 -------- Hex Payload Start ---------- 68 74 74 70 3a 20 2d 4a 2d 6a 61 72 20 2d 4a 5c 5c 5c 5c 20 2e 6c 61 75 6e 63 68 28 20 68 74 74 70 3a 20 2d 4a 2d 6a 61 72 20 2d 4a 5c 5c 5c 5c 30 2e 30 2e 30 2e 30 5c 5c 2e 6a 61 72 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA content:"<OBJECT classid=clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; |---------------------| Building Rule: 2011010 -------- Hex Payload Start ---------- 43 41 46 45 45 46 41 43 2d 44 45 43 37 2d 30 30 30 30 2d 30 30 30 30 2d 41 42 43 44 45 46 46 45 44 43 42 41 20 6c 61 75 6e 63 68 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 43 41 46 45 45 46 41 43 2d 44 45 43 37 2d 30 30 30 30 2d 30 30 30 30 2d 41 42 43 44 45 46 46 45 44 43 42 41 --------- Hex Payload End ----------- \x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z] content:"../../0C:\a"; |---------------------| Building Rule: 2010798 -------- Hex Payload Start ---------- 23 3a 2e 2e 2f 2e 2e 2f 20 43 3a 5c 20 2e 2e 2f 2e 2e 2f 30 43 3a 5c 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010799 -------- Hex Payload Start ---------- 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 4f 62 6a 65 63 74 20 2e 69 6e 6e 65 72 48 54 4d 4c 77 69 6e 64 6f 77 2e 73 65 74 49 6e 74 65 72 76 61 6c 73 72 63 45 6c 65 6d 65 6e 74 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83 content:"<OBJECT classid=clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; content:"DataURL"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; content:"<OBJECT classid=clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.vupen.com/english/advisories/2010/0744; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0805; reference:url,doc.emergingthreats.net/2011007; classtype:attempted-user; sid:2011007; rev:8;) Parser failed - skipping rule <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91 content:"<OBJECT classid=clsid:CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; |---------------------| Building Rule: 2009610 -------- Hex Payload Start ---------- 63 6c 73 69 64 43 41 41 46 44 44 38 33 2d 43 45 46 43 2d 34 45 33 44 2d 42 41 30 33 2d 31 37 35 46 31 37 41 32 34 46 39 31 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 43 41 41 46 44 44 38 33 2d 43 45 46 43 2d 34 45 33 44 2d 42 41 30 33 2d 31 37 35 46 31 37 41 32 34 46 39 31 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980 content:"<OBJECT classid=clsid:D02AAC50-027E-11D3-9D8E-00C04F72D980"; |---------------------| Building Rule: 2009611 -------- Hex Payload Start ---------- 63 6c 73 69 64 44 30 32 41 41 43 35 30 2d 30 32 37 45 2d 31 31 44 33 2d 39 44 38 45 2d 30 30 43 30 34 46 37 32 44 39 38 30 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 44 30 32 41 41 43 35 30 2d 30 32 37 45 2d 31 31 44 33 2d 39 44 38 45 2d 30 30 43 30 34 46 37 32 44 39 38 30 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02 content:"<OBJECT classid=clsid:FA7C375B-66A7-4280-879D-FD459C84BB02"; |---------------------| Building Rule: 2009613 -------- Hex Payload Start ---------- 63 6c 73 69 64 46 41 37 43 33 37 35 42 2d 36 36 41 37 2d 34 32 38 30 2d 38 37 39 44 2d 46 44 34 35 39 43 38 34 42 42 30 32 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 46 41 37 43 33 37 35 42 2d 36 36 41 37 2d 34 32 38 30 2d 38 37 39 44 2d 46 44 34 35 39 43 38 34 42 42 30 32 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3 content:"<OBJECT classid=clsid:011B3619-FE63-4814-8A84-15A194CE9CE3"; |---------------------| Building Rule: 2009614 -------- Hex Payload Start ---------- 63 6c 73 69 64 30 31 31 42 33 36 31 39 2d 46 45 36 33 2d 34 38 31 34 2d 38 41 38 34 2d 31 35 41 31 39 34 43 45 39 43 45 33 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 30 31 31 42 33 36 31 39 2d 46 45 36 33 2d 34 38 31 34 2d 38 41 38 34 2d 31 35 41 31 39 34 43 45 39 43 45 33 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90 content:"<OBJECT classid=clsid:0149EEDF-D08F-4142-8D73-D23903D21E90"; |---------------------| Building Rule: 2009615 -------- Hex Payload Start ---------- 63 6c 73 69 64 30 31 34 39 45 45 44 46 2d 44 30 38 46 2d 34 31 34 32 2d 38 44 37 33 2d 44 32 33 39 30 33 44 32 31 45 39 30 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 30 31 34 39 45 45 44 46 2d 44 30 38 46 2d 34 31 34 32 2d 38 44 37 33 2d 44 32 33 39 30 33 44 32 31 45 39 30 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E content:"<OBJECT classid=clsid:0369B4E5-45B6-11D3-B650-00C04F79498E"; |---------------------| Building Rule: 2009616 -------- Hex Payload Start ---------- 63 6c 73 69 64 30 33 36 39 42 34 45 35 2d 34 35 42 36 2d 31 31 44 33 2d 42 36 35 30 2d 30 30 43 30 34 46 37 39 34 39 38 45 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 30 33 36 39 42 34 45 35 2d 34 35 42 36 2d 31 31 44 33 2d 42 36 35 30 2d 30 30 43 30 34 46 37 39 34 39 38 45 --------- Hex Payload End ----------- (SnapshotPath|CompressedPath|PrintSnapshot) content:"SnapshotPath"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; content:"SnapshotPath"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; classtype:web-application-attack; sid:2008407; rev:5;) Parser failed - skipping rule (SnapshotPath|CompressedPath|PrintSnapshot) content:"SnapshotPath"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; content:"SnapshotPath"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; classtype:web-application-attack; sid:2008408; rev:5;) Parser failed - skipping rule (SnapshotPath|CompressedPath|PrintSnapshot) content:"SnapshotPath"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; content:"SnapshotPath"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; classtype:web-application-attack; sid:2008409; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2011223 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 20 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 64 69 76 20 69 64 3d 22 70 61 67 65 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 22 3e --------- Hex Payload End ----------- download\x2FAntivirus_\d+\x2Eexe uricontent:"download/Antivirus_0.exe"; |---------------------| Building Rule: 2010050 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010051 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010054 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010055 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/crack\.\d+\.exe$ uricontent:"/crack.0.exe"; |---------------------| Building Rule: 2010059 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010061 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010062 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- \/installer\.\d+\.exe uricontent:"/installer.0.exe"; |---------------------| Building Rule: 2010452 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- \/installer_\d+\.exe uricontent:"/installer_0.exe"; |---------------------| Building Rule: 2010453 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- Setup_20\d+\x2Eexe uricontent:"Setup_200.exe"; |---------------------| Building Rule: 2010684 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009172 -------- Hex Payload Start ---------- 4a 4f 49 4e 20 23 6d 69 70 73 65 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008368 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 29 --------- Hex Payload End ----------- src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape content:"src=hcp://%3cscriptdeferunescape"; |---------------------| Building Rule: 2011173 -------- Hex Payload Start ---------- 68 63 70 3a 2f 2f 73 63 72 69 70 74 64 65 66 65 72 75 6e 65 73 63 61 70 65 20 73 72 63 3d 68 63 70 3a 2f 2f 25 33 63 73 63 72 69 70 74 64 65 66 65 72 75 6e 65 73 63 61 70 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008531 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 03 63 68 72 0b 73 61 6e 74 61 2d 69 6e 62 6f 78 03 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000010 -------- Hex Payload Start ---------- 25 25 25 25 25 58 58 25 25 25 25 25 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002880; classtype:attempted-dos; sid:2002880; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002881; classtype:attempted-dos; sid:2002881; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002882; classtype:attempted-dos; sid:2002882; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002926; classtype:attempted-dos; sid:2002926; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002927; classtype:attempted-dos; sid:2002927; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002928; classtype:attempted-dos; sid:2002928; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2010755 -------- Hex Payload Start ---------- 00 05 03 31 41 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9;) Parser failed - skipping rule SELECT.+geometrycollectionfromwkb content:"SELECT0geometrycollectionfromwkb"; |---------------------| Building Rule: 2010491 -------- Hex Payload Start ---------- 53 45 4c 45 43 54 67 65 6f 6d 65 74 72 79 63 6f 6c 6c 65 63 74 69 6f 6e 66 72 6f 6d 77 6b 62 20 53 45 4c 45 43 54 30 67 65 6f 6d 65 74 72 79 63 6f 6c 6c 65 63 74 69 6f 6e 66 72 6f 6d 77 6b 62 --------- Hex Payload End ----------- ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA content:"ALTER0DATABASE0"."0UPGRADE0DATA"; |---------------------| Building Rule: 2011761 -------- Hex Payload Start ---------- 41 4c 54 45 52 20 20 44 41 54 41 42 41 53 45 22 2e 55 50 47 52 41 44 45 20 20 44 41 54 41 20 41 4c 54 45 52 30 44 41 54 41 42 41 53 45 30 22 2e 22 30 55 50 47 52 41 44 45 30 44 41 54 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010554 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2010486 -------- Hex Payload Start ---------- 17 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2010487 -------- Hex Payload Start ---------- 97 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2001742 -------- Hex Payload Start ---------- 46 4f 3a 20 59 6f 75 20 68 61 76 65 20 73 75 63 20 65 20 63 6c 69 65 6e 74 20 69 6e 66 6f 72 6d 61 --------- Hex Payload End ----------- [0-9a-zA-Z]{50} content:"00000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2007937 -------- Hex Payload Start ---------- 44 53 52 65 71 75 65 73 74 20 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003370 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 00 00 00 20 20 20 20 20 20 20 20 00 00 00 03 00 00 00 08 00 00 00 00 20 20 20 20 00 00 00 00 20 20 20 20 20 20 20 20 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; classtype:attempted-admin; sid:2003378; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2003379 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ff ff ff ff --------- Hex Payload End ----------- |---------------------| Building Rule: 2003518 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 06 09 7e 20 20 20 20 00 00 00 bf 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003750 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 06 09 82 20 00 00 00 01 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003751 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 06 09 7e 20 00 00 00 7e 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type limit, track by_dst, count 1, seconds 60 |---------------------| Building Rule: 2000048 -------- Hex Payload Start ---------- 45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type limit, track by_dst, count 1, seconds 60 |---------------------| Building Rule: 2000031 -------- Hex Payload Start ---------- 45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type limit, track by_dst, count 1, seconds 60 |---------------------| Building Rule: 2000049 -------- Hex Payload Start ---------- 41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000007 -------- Hex Payload Start ---------- 61 25 61 25 61 25 61 25 61 25 61 25 61 25 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 120 |---------------------| Building Rule: 2000005 -------- Hex Payload Start ---------- 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58 --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflowflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:7;) Parser failed - skipping rule M-SEARCH\s+[^\n]{500} content:"M-SEARCH ####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; content:"M-SEARCH ####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; classtype:attempted-user; sid:2003039; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2007876 -------- Hex Payload Start ---------- 6c 61 6e 67 75 61 67 65 20 65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61 --------- Hex Payload End ----------- [a-zA-Z0-9]{5} content:"aaaaa"; |---------------------| Building Rule: 2007877 -------- Hex Payload Start ---------- 12 06 41 46 50 33 2e 31 20 61 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010783 -------- Hex Payload Start ---------- 67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65 --------- Hex Payload End ----------- (\/\.){70,} NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2008776 -------- Hex Payload Start ---------- 63 77 64 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- [\w]{70,} content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2008777 -------- Hex Payload Start ---------- 6c 69 73 74 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- \xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF] content:")#"; |---------------------| Building Rule: 2010546 -------- Hex Payload Start ---------- b6 29 8c 23 ff ff ff 20 b6 29 8c 23 ff ff ff f8 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002850 -------- Hex Payload Start ---------- 55 53 45 52 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002852 -------- Hex Payload Start ---------- 02 6d 73 66 32 38 30 60 --------- Hex Payload End ----------- [\?&]mail=[^&]+?[\x3b\x2c\x7c\x27] uricontent:"?mail=#;"; |---------------------| Building Rule: 2001990 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000046 -------- Hex Payload Start ---------- 00 00 00 00 9a a8 40 00 01 00 00 00 00 00 00 00 20 01 00 00 00 00 00 00 00 9a a8 40 00 01 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000033 -------- Hex Payload Start ---------- 95 14 40 00 03 00 00 00 7c 70 40 00 01 20 78 85 13 00 ab 5b a6 e9 31 31 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; classtype:misc-activity; sid:2001195; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2003072 -------- Hex Payload Start ---------- 20 53 65 63 75 72 69 74 79 4d 6f 64 65 3d 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011669 -------- Hex Payload Start ---------- 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 52 32 56 74 64 47 56 72 4f 6d 64 6c 62 58 52 6c 61 33 4e 33 5a 41 3d 3d 0d 0a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001944 -------- Hex Payload Start ---------- 43 43 43 43 20 f0 fd 7f 53 56 57 66 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; classtype:misc-attack; sid:2001668; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2002199 Error here depth! Error here within! Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 25 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 00 20 20 20 20 20 5c 00 50 00 49 00 50 00 45 00 5c 00 20 20 20 20 05 20 0b 20 40 4e 9f 8d 3d a0 ce 11 8f 69 08 00 3e 30 05 1b --------- Hex Payload End ----------- |---------------------| Building Rule: 2002200 Error here depth! Error here within! Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 25 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 00 20 20 20 20 20 5c 00 50 00 49 00 50 00 45 00 5c 00 20 20 05 20 0b 20 40 4e 9f 8d 3d a0 ce 11 8f 69 08 00 3e 30 05 1b --------- Hex Payload End ----------- (\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$ NOT IMPL not _simple(av) in REPEATING CODES content:"##00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000########"; |---------------------| Building Rule: 2002201 Error here depth! Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 25 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 00 20 20 20 20 20 5c 00 50 00 49 00 50 00 45 00 5c 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 36 00 20 00 00 ff ff 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 04 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002202; classtype:protocol-command-decode; sid:2002202; rev:4;) Parser failed - skipping rule (\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$ NOT IMPL not _simple(av) in REPEATING CODES content:"##00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000########"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; content:"##00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000########"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002203; classtype:attempted-admin; sid:2002203; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; classtype:misc-attack; sid:2003081; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003082; classtype:misc-attack; sid:2003082; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2008690 Error here depth! -------- Hex Payload Start ---------- 20 20 0b 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008691 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 5c 2e 2e 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008692 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008693 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008694 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008696 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 5c 2e 2e 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008697 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008698 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008699 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008700 -------- Hex Payload Start ---------- 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008701 Error here depth! -------- Hex Payload Start ---------- 20 20 0b 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008702 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 5c 2e 2e 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008703 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008704 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008705 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008706 Error here depth! -------- Hex Payload Start ---------- 20 20 0b 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008707 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 5c 2e 2e 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008708 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008709 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008710 -------- Hex Payload Start ---------- 1f 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008712 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 5c 2e 2e 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008713 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008714 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008715 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008717 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 5c 2e 2e 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008718 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008719 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008720 -------- Hex Payload Start ---------- 20 00 20 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 20 00 2e 00 2e 00 5c 00 2e 00 2e 00 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008721 -------- Hex Payload Start ---------- 00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002845 -------- Hex Payload Start ---------- 12 01 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000488 -------- Hex Payload Start ---------- 27 00 20 2d 00 2d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000377 -------- Hex Payload Start ---------- 08 3a 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000380 -------- Hex Payload Start ---------- 12 01 00 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010001 -------- Hex Payload Start ---------- 78 00 70 00 5f 00 65 00 6e 00 75 00 6d 00 65 00 72 00 72 00 6f 00 72 00 6c 00 6f 00 67 00 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010002 -------- Hex Payload Start ---------- 78 00 70 00 5f 00 72 00 65 00 61 00 64 00 65 00 72 00 72 00 6f 00 72 00 6c 00 6f 00 67 00 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010003 -------- Hex Payload Start ---------- 78 00 70 00 5f 00 65 00 6e 00 75 00 6d 00 64 00 73 00 6e 00 --------- Hex Payload End ----------- [0-9a-zA-Z]{200,} content:"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2008063 -------- Hex Payload Start ---------- 46 4c 41 47 53 20 42 4f 44 59 20 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 eb 06 90 90 8b 11 dc 64 90 --------- Hex Payload End ----------- (GET).\/%.{1586,} content:"GET0/%00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2001988 -------- Hex Payload Start ---------- 47 45 54 20 31 c9 83 e9 af d9 ee 20 47 45 54 30 2f 25 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000017 -------- Hex Payload Start ---------- a1 05 23 03 03 01 07 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2;) Parser failed - skipping rule Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}== content:"Authorization:Basicaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=="; |---------------------| Building Rule: 2007874 -------- Hex Payload Start ---------- 47 45 54 20 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 42 61 73 69 63 20 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 42 61 73 69 63 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 3d 3d --------- Hex Payload End ----------- \xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4] content:""; |---------------------| Building Rule: 2003400 -------- Hex Payload Start ---------- 55 53 2d 41 53 43 49 49 20 bc f3 e3 f2 e9 f0 f4 --------- Hex Payload End ----------- \xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2 content:""; |---------------------| Building Rule: 2003401 -------- Hex Payload Start ---------- 55 53 2d 41 53 43 49 49 20 ae ef f0 e5 ee a0 a2 e7 e5 f4 a2 --------- Hex Payload End ----------- [\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4] content:""; |---------------------| Building Rule: 2003403 -------- Hex Payload Start ---------- 55 53 2d 41 53 43 49 49 20 f6 e2 f3 e3 f2 e9 f0 f4 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002886 Parser failed - skipping rule |---------------------| Building Rule: 2002887 Parser failed - skipping rule |---------------------| Building Rule: 2002888 Parser failed - skipping rule ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE) content:"ctxsys.drvxtabc.create_tables0SELECT"; |---------------------| Building Rule: 2010375 Parser failed - skipping rule [^a-zA-Z0-9]+\.message content:"#.message"; |---------------------| Building Rule: 2003196 -------- Hex Payload Start ---------- 53 54 4f 52 20 2e 6d 65 73 73 61 67 65 0d 0a 20 00 2e 6d 65 73 73 61 67 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003197 -------- Hex Payload Start ---------- 43 57 44 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000565 -------- Hex Payload Start ---------- 53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000566 -------- Hex Payload Start ---------- 53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000564 -------- Hex Payload Start ---------- 70 00 77 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2e 00 65 00 78 00 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000567 -------- Hex Payload Start ---------- 70 00 77 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2e 00 65 00 78 00 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000563 -------- Hex Payload Start ---------- 3a 00 35 00 30 00 30 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2000568 -------- Hex Payload Start ---------- 3a 00 35 00 30 00 30 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2001053 -------- Hex Payload Start ---------- 4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001544 -------- Hex Payload Start ---------- 4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001052 -------- Hex Payload Start ---------- 53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001543 -------- Hex Payload Start ---------- 53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001753 -------- Hex Payload Start ---------- 50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001754 -------- Hex Payload Start ---------- 50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008444 -------- Hex Payload Start ---------- 4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 50 00 57 00 44 00 55 00 4d 00 50 00 34 00 2e 00 65 00 78 00 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008445 -------- Hex Payload Start ---------- 5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008476 -------- Hex Payload Start ---------- 6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008517 -------- Hex Payload Start ---------- 73 00 70 00 5f 00 63 00 6f 00 6e 00 66 00 69 00 67 00 75 00 72 00 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008518 -------- Hex Payload Start ---------- 73 70 5f 63 6f 6e 66 69 67 75 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000032 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 --------- Hex Payload End ----------- \x3d[^\x26]{720} content:"=################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2008426 -------- Hex Payload Start ---------- 50 4f 53 54 20 2f 53 65 63 75 72 69 74 79 47 61 74 65 77 61 79 2e 64 6c 6c 6c 6f 67 6f 6e 26 75 73 65 72 6e 61 6d 65 20 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001385 Error here depth! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 61 63 6b 75 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 61 63 6b 90 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001780 -------- Hex Payload Start ---------- 00 54 54 59 50 52 4f 4d 50 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003411 -------- Hex Payload Start ---------- ff fa 27 00 00 55 53 45 52 01 2d 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003412 -------- Hex Payload Start ---------- ff fa 27 00 00 55 53 45 52 01 2d 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010877 -------- Hex Payload Start ---------- 74 6f 3a 2b 3a 5c 22 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2010941 -------- Hex Payload Start ---------- 74 6f 3a 2b 5c 22 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2000342 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 41 41 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri; content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; distance:0; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:4;) Parser failed - skipping rule Template=.*\.\. uricontent:"Template=.."; |---------------------| Building Rule: 2002406 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003434 -------- Hex Payload Start ---------- 73 70 6c 78 5f 32 33 37 36 5f 69 6e 66 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007584 Error here within! Error here within! -------- Hex Payload Start ---------- 05 20 20 20 10 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 1c 13 74 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- \x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000} uricontent:"/requests/status.xml?input=########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2009511 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011241 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; classtype:misc-attack; sid:2002065; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2002068 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 05 02 20 20 20 20 20 20 20 20 00 00 00 03 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002181 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 00 00 00 00 00 00 09 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 04 72 6f 6f 74 b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2002182 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 00 00 00 01 00 00 09 01 20 20 20 20 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ENTER\x20LANGUAGE\x20\x3D.{55} content:"ENTER LANGUAGE =0000000000000000000000000000000000000000000000000000000"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; content:"ENTER LANGUAGE =0000000000000000000000000000000000000000000000000000000"; reference:url,www.securityfocus.com/bid/38010; reference:url,doc.emergingthreats.net/2010759; classtype:attempted-admin; sid:2010759; rev:2;) Parser failed - skipping rule \x5C[^\x5C\x00]{257} content:"\#################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; content:"\#################################################################################################################################################################################################################################################################"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2002101 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 52 41 54 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002102 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 50 58 45 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002103 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 4c 54 52 44 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002104 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 56 44 32 44 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002105 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 50 58 32 44 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002106 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 4e 42 32 57 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002107 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 33 52 41 57 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002108 Error here depth! -------- Hex Payload Start ---------- ff 50 20 20 20 20 20 20 20 20 20 20 50 58 33 57 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002109 Error here depth! -------- Hex Payload Start ---------- ff 51 20 20 00 01 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002110 -------- Hex Payload Start ---------- ff 51 08 00 01 01 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002111 -------- Hex Payload Start ---------- ff 51 09 00 00 02 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002112 Error here depth! -------- Hex Payload Start ---------- ff 51 20 20 01 02 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002113 -------- Hex Payload Start ---------- ff 51 09 00 02 02 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002114 -------- Hex Payload Start ---------- ff 51 09 00 03 02 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002115 -------- Hex Payload Start ---------- ff 3a 08 00 02 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002116 -------- Hex Payload Start ---------- ff 54 1c 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002118 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 01 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002140 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 02 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002141 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 03 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002142 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 04 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002143 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 06 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002144 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 07 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002145 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 09 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002146 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 0a 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002147 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 0d 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002148 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 0e 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002149 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 0f 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002150 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 12 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002151 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 13 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002152 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 17 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002119 -------- Hex Payload Start ---------- ff 0e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002138 -------- Hex Payload Start ---------- 00 20 25 00 57 6f 57 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002139 -------- Hex Payload Start ---------- 01 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002154 -------- Hex Payload Start ---------- 01 00 00 00 00 f1 00 10 00 01 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002170 Error here depth! -------- Hex Payload Start ---------- ff 0f 20 20 05 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002855 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6c 69 7a 7a 61 72 64 20 44 6f 77 6e 6c 6f 61 64 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002155 -------- Hex Payload Start ---------- 67 65 74 63 68 61 6c 6c 65 6e 67 65 73 74 65 61 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003089 -------- Hex Payload Start ---------- 00 00 00 03 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011733 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 00 00 00 00 02 9d 74 8b 45 aa 7b ef b9 9e fe ad 08 19 ba cf 41 e0 16 a2 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011734 -------- Hex Payload Start ---------- f4 be 03 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011735 -------- Hex Payload Start ---------- f4 be 04 00 --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2011736 -------- Hex Payload Start ---------- f4 be 01 00 --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2011737 -------- Hex Payload Start ---------- f4 be 02 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011738 -------- Hex Payload Start ---------- f0 be 05 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011739 -------- Hex Payload Start ---------- f0 be 06 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011740 -------- Hex Payload Start ---------- f0 be 07 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011741 -------- Hex Payload Start ---------- f0 be 08 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011742 -------- Hex Payload Start ---------- f0 be 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011743 -------- Hex Payload Start ---------- f0 be 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011744 -------- Hex Payload Start ---------- f0 be 30 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011745 -------- Hex Payload Start ---------- f0 be 68 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011746 -------- Hex Payload Start ---------- f0 be 2c 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011747 -------- Hex Payload Start ---------- f1 be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011748 -------- Hex Payload Start ---------- 47 45 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011749 -------- Hex Payload Start ---------- 47 45 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011750 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 20 3c 72 65 71 75 65 73 74 3e 3c 6e 61 6d 65 3e 47 65 74 43 6f 6e 6e 65 63 74 69 6f 6e 41 6e 64 47 61 6d 65 50 61 72 61 6d 73 3c 2f 6e 61 6d 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011751 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 20 3c 72 65 71 75 65 73 74 3e 3c 6e 61 6d 65 3e 4f 70 65 6e 53 65 73 73 69 6f 6e 3c 2f 6e 61 6d 65 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Connect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>Connect</name>"; nocase; http_client_body; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011752; classtype:policy-violation; sid:2011752; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2011753 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 20 3c 72 65 71 75 65 73 74 3e 3c 6e 61 6d 65 3e 44 69 73 63 6f 6e 6e 65 63 74 3c 2f 6e 61 6d 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011754 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 20 3c 72 65 71 75 65 73 74 3e 3c 6e 61 6d 65 3e 47 65 74 4f 6e 6c 69 6e 65 50 72 6f 66 69 6c 65 3c 2f 6e 61 6d 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011755 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 20 3c 72 65 71 75 65 73 74 3e 3c 6e 61 6d 65 3e 47 65 74 42 75 64 64 69 65 73 3c 2f 6e 61 6d 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011756 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 20 3c 72 65 71 75 65 73 74 3e 3c 6e 61 6d 65 3e 53 65 61 72 63 68 4e 65 77 3c 2f 6e 61 6d 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011757 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 20 3c 72 65 71 75 65 73 74 3e 3c 6e 61 6d 65 3e 4c 69 76 65 55 70 64 61 74 65 3c 2f 6e 61 6d 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011758 -------- Hex Payload Start ---------- 47 45 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 6d 65 42 6f 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002003 -------- Hex Payload Start ---------- 73 69 6d 70 6c 65 69 6e 74 65 72 6e 65 74 2f 31 38 30 73 61 69 6e 73 74 61 6c 6c 65 72 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002048 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002099 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002354 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003057 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003058 -------- Hex Payload Start ---------- 20 7a 61 6e 67 6f 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003059 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003060 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003061 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003217 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003306 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \/tbrequest\d+\.php uricontent:"/tbrequest0.php"; |---------------------| Building Rule: 2003610 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009807 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001447 -------- Hex Payload Start ---------- 67 6f 69 64 72 2e 63 61 62 20 48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003620 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001730 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001735 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001761 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003438 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001441 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008419 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008425 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007601 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 55 52 4c 20 43 6f 6e 74 72 6f 6c --------- Hex Payload End ----------- UID=\d uricontent:"UID=0"; |---------------------| Building Rule: 2007602 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 55 52 4c 20 43 6f 6e 74 72 6f 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2001228 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001230 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003446 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010630 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001450 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001530 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001737 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002349 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003219 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003606 -------- Hex Payload Start ---------- 20 20 20 20 61 6c 65 78 61 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003619 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 72 65 64 69 72 65 63 74 2e 61 6c 65 78 61 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000903 -------- Hex Payload Start ---------- 20 43 4f 4e 46 49 47 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001999 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003340 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003341 -------- Hex Payload Start ---------- 20 62 61 72 2e 62 61 69 64 75 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003578 -------- Hex Payload Start ---------- 20 62 61 69 64 75 2e 63 6f 6d 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2003605 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003630 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008318 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000574 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001885 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003209 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003210 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003211 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002955 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002956 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/adv\/\d+\/win32\.exe uricontent:"/adv/0/win32.exe"; |---------------------| Building Rule: 2002957 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003153 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000366 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000367 -------- Hex Payload Start ---------- 20 61 62 65 74 74 65 72 69 6e 74 65 72 6e 65 74 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000371 -------- Hex Payload Start ---------- 20 61 62 65 74 74 65 72 69 6e 74 65 72 6e 65 74 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2000593 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001198 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001199 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001216 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001339 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001576 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2005319 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001345 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001451 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001452 -------- Hex Payload Start ---------- 52 65 66 65 72 65 72 3a 20 6d 73 2d 69 74 73 3a 6d 68 74 6d 6c 3a 66 69 6c 65 3a 2f 2f 43 3a 63 6f 75 6e 74 65 72 2e 6d 68 74 21 68 74 74 70 3a 2f 2f 20 2f 63 6f 75 6e 74 65 72 2f 48 45 4c 50 33 2e 43 48 4d 3a 3a 2f 68 65 6c 70 2e 68 74 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001458 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002088 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2006403 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006404 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003417 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003418 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003419 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002089 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002095 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002931 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002933 -------- Hex Payload Start ---------- 20 73 70 79 2d 73 68 65 72 69 66 66 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001521 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/sd\?s=\d+&f=\d&C=\d uricontent:"/sd?s=0&f=0&C=0"; |---------------------| Building Rule: 2009880 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/sd\?s=\d+&f=\d uricontent:"/sd?s=0&f=0"; |---------------------| Building Rule: 2002196 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001041 -------- Hex Payload Start ---------- 20 63 61 73 69 6e 6f 6e 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001031 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001032 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001033 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003358 -------- Hex Payload Start ---------- 20 63 61 74 63 68 6f 6e 6c 69 66 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001494 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001500 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000931 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 75 70 64 61 74 65 2e 63 63 2e 63 6f 6d 65 74 73 79 73 74 65 6d 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001050 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001655 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001658 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6c 6f 67 2e 63 63 2e 63 6f 6d 65 74 73 79 73 74 65 6d 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002351 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002352 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003307 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/Message\/\S+\/\S+\.xml uricontent:"/Message/A/A.xml"; |---------------------| Building Rule: 2003218 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 49 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003074 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003075 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003076 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001704 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001456 -------- Hex Payload Start ---------- 20 63 6f 6e 74 65 78 74 70 61 6e 65 6c 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003462 -------- Hex Payload Start ---------- 20 64 65 73 6b 62 61 72 5f 69 64 3d 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2001479 -------- Hex Payload Start ---------- 63 6f 6f 6c 73 65 61 72 63 68 2e 62 69 7a 2f 75 6e 69 74 65 64 2e 68 74 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001453 -------- Hex Payload Start ---------- 20 63 6f 75 70 6f 6e 61 67 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001454 -------- Hex Payload Start ---------- 2e 64 61 5f 20 63 6f 75 70 6f 6e 61 67 65 2e 63 6f 6d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2008754 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 20 0d 0a 52 61 72 21 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css|0d 0a|"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2002816 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002817 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003472 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003473 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001884 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003445 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003444 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007978 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w uricontent:"mac=0A:AA:AA:AA:AA:AA"; |---------------------| Building Rule: 2006427 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w uricontent:"sn=0A:AA:AA:AA:AA:AA"; |---------------------| Building Rule: 2006428 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w uricontent:"mac=0A:AA:AA:AA:AA:AA"; |---------------------| Building Rule: 2006431 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w uricontent:"cn=0A:AA:AA:AA:AA:AA"; |---------------------| Building Rule: 2006432 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w uricontent:"mac=0A:AA:AA:AA:AA:AA"; |---------------------| Building Rule: 2006433 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 --------- Hex Payload End ----------- mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w uricontent:"mac=0A:AA:AA:AA:AA:AA"; |---------------------| Building Rule: 2007642 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002967 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003084 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003440 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001416 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001417 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001418 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001423 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003504 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002009 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002010 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002317 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002318 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002319 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001038 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003304 -------- Hex Payload Start ---------- 20 65 66 66 65 63 74 69 76 65 62 72 61 6e 64 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003360 -------- Hex Payload Start ---------- 20 65 66 66 65 63 74 69 76 65 62 72 61 6e 64 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002966 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003414 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003416 -------- Hex Payload Start ---------- 20 20 48 6f 73 74 3a 20 20 65 70 69 6c 6f 74 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000585 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000582 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001221 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003579 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003581 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000936 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001710 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001705 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002840 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 73 65 20 66 72 65 65 7a 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002841 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 73 65 20 66 72 65 65 7a 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003362 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009705 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000599 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001013 -------- Hex Payload Start ---------- 20 46 75 6e 57 65 62 50 72 6f 64 75 63 74 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002305 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002306 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002858 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003151 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003348 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000025 -------- Hex Payload Start ---------- 77 65 62 70 64 70 63 6f 6f 6b 69 65 20 2e 67 61 74 6f 72 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000597 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000596 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001306 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000514 -------- Hex Payload Start ---------- 77 73 68 2e 52 65 67 57 72 69 74 65 20 48 4b 4c 4d 5c 5c 5c 5c 53 6f 66 74 77 61 72 65 5c 5c 5c 5c 4d 69 63 72 6f 73 6f 66 74 5c 5c 5c 5c 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 5c 5c 5c 5c 4d 61 69 6e 5c 5c 5c 5c 53 74 61 72 74 20 50 61 67 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000519 -------- Hex Payload Start ---------- 73 68 65 6c 6c 3a 77 69 6e 64 6f 77 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000520 -------- Hex Payload Start ---------- 73 68 65 6c 6c 3a 77 69 6e 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001656 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 67 6c 6f 62 61 6c 70 68 6f 6e 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001657 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001659 -------- Hex Payload Start ---------- 20 20 67 6c 6f 62 61 6c 70 68 6f 6e 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001660 -------- Hex Payload Start ---------- 20 20 67 6c 6f 62 61 6c 70 68 6f 6e 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008375 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002012 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002013 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007744 -------- Hex Payload Start ---------- 20 20 20 20 48 54 54 50 2f 31 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2007749 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007750 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000920 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000921 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000922 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000923 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000924 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, count 1, track by_src, seconds 360 |---------------------| Building Rule: 2000929 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000925 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002820 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003364 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003388 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008917 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008918 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001490 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002090 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002096 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000927 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000928 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001395 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001697 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001793 -------- Hex Payload Start ---------- 20 69 6e 63 72 65 64 69 73 65 61 72 63 68 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001794 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 69 6e 63 72 65 64 69 73 65 61 72 63 68 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003376 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002015 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001308 -------- Hex Payload Start ---------- 20 2f 77 73 69 38 2f 6f 70 74 69 6d 69 7a 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001396 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002019 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002016 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010438 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003201 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003202 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 77 77 77 2e 6b 6c 69 6b 73 6f 66 74 77 61 72 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003203 -------- Hex Payload Start ---------- 20 67 65 74 2e 68 69 74 76 69 72 75 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003204 -------- Hex Payload Start ---------- 20 20 20 48 6f 73 74 3a 20 77 77 77 2e 6b 6c 69 6b 73 6f 66 74 77 61 72 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003298 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003526 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008067 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008069 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001340 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001499 -------- Hex Payload Start ---------- 52 65 66 65 72 65 72 3a 20 4c 6f 6f 6b 32 4d 65 --------- Hex Payload End ----------- &ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d NOT IMPL not _simple(av) in REPEATING CODES uricontent:"&ID={00000000-AAAAAAAAAAAA}"; |---------------------| Building Rule: 2008474 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2003611 -------- Hex Payload Start ---------- 20 20 20 48 6f 73 74 3a 20 77 77 77 2e 4d 61 6c 77 61 72 65 41 6c 61 72 6d 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003612 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 48 6f 73 74 3a 20 64 6f 77 6e 6c 6f 61 64 2e 4d 61 6c 77 61 72 65 41 6c 61 72 6d 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000902 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001359 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001563 -------- Hex Payload Start ---------- 77 77 77 2e 6d 61 72 6b 65 74 73 63 6f 72 65 2e 63 6f 6d 20 49 6e 73 74 61 6e 74 53 53 4c 31 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic"; flow:to_server,established; content:"X-OSSProxy|3a| OSSProxy"; http_header; threshold: type limit, count 5, seconds 300, track by_src; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; classtype:policy-violation; sid:2001564; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2003253 -------- Hex Payload Start ---------- 20 4f 53 53 2d 50 72 6f 78 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001587 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001588 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001589 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008759 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 64 6f 77 73 20 35 2e 31 20 28 32 36 30 30 29 3b 20 44 4d 43 50 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003344 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001783 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001448 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 77 77 77 2e 6d 74 2d 64 6f 77 6e 6c 6f 61 64 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001481 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001503 -------- Hex Payload Start ---------- 20 20 20 48 6f 73 74 3a 63 6f 6e 66 69 67 2e 6d 65 64 69 61 6c 6f 61 64 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001509 -------- Hex Payload Start ---------- 20 20 48 6f 73 74 3a 63 6f 6e 66 69 67 2e 6d 65 64 69 61 6c 6f 61 64 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001507 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c --------- Hex Payload End ----------- |---------------------| Building Rule: 2001666 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 6d 65 74 61 72 65 77 61 72 64 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001641 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001643 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001644 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001645 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000583 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000584 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003577 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009234 -------- Hex Payload Start ---------- 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 41 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001747 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003351 -------- Hex Payload Start ---------- 20 20 4d 79 53 65 61 72 63 68 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003352 -------- Hex Payload Start ---------- 20 20 4d 79 53 65 61 72 63 68 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007996 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003221 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 50 53 79 73 74 65 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008915 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009524 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 20 20 --------- Hex Payload End ----------- \/ms\d\d\dcfg\.jsp uricontent:"/ms000cfg.jsp"; |---------------------| Building Rule: 2002839 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000600 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002836 -------- Hex Payload Start ---------- 20 4d 79 57 65 62 53 65 61 72 63 68 57 42 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003222 -------- Hex Payload Start ---------- 20 4d 79 57 65 62 53 65 61 72 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003617 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003240 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003241 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001538 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001539 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 2e 6f 65 6d 6a 69 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003055 Parser failed - skipping rule |---------------------| Building Rule: 2011124 Parser failed - skipping rule |---------------------| Building Rule: 2001341 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007855 -------- Hex Payload Start ---------- 47 45 54 20 68 6f 73 74 3a 20 75 70 67 72 61 64 65 2e 6f 6e 65 73 74 65 70 73 65 61 72 63 68 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002044 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ctxad-\d+\.sig uricontent:"ctxad-0.sig"; |---------------------| Building Rule: 2001495 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001496 -------- Hex Payload Start ---------- 20 6f 75 74 65 72 69 6e 66 6f 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001497 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 63 61 6d 70 61 69 67 6e 73 2e 6f 75 74 65 72 69 6e 66 6f 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003426 -------- Hex Payload Start ---------- 20 20 20 20 20 20 6f 75 74 65 72 69 6e 66 6f 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008456 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002083 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007786 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 43 44 6f 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007804 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 79 70 63 64 6f 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009712 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 26 68 64 6d 61 63 69 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003547 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007664 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001748 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2007821 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 5f 43 6f 6e 6e 65 63 74 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2001311 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008402 -------- Hex Payload Start ---------- 43 01 00 20 43 61 73 69 6e 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001223 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001224 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000601 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001696 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002296 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002297 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002298 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002299 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002300 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002301 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002302 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002303 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001474 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001475 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001480 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001483 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001484 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001540 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001533 -------- Hex Payload Start ---------- 20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001534 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001535 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 69 6e 73 74 61 6c 6c 2e 73 65 61 72 63 68 6d 69 72 61 63 6c 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001744 -------- Hex Payload Start ---------- 2f 73 69 64 65 62 2e 65 78 65 20 48 6f 73 74 3a 20 69 6e 73 74 61 6c 6c 2e 73 65 61 72 63 68 6d 69 72 61 63 6c 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002091 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001650 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 63 6f 6e 74 65 6e 74 2e 73 65 61 72 63 68 73 63 6f 75 74 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001653 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 72 65 73 75 6c 74 73 2e 73 65 61 72 63 68 73 63 6f 75 74 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003576 -------- Hex Payload Start ---------- 20 73 65 63 75 72 69 74 79 2d 75 70 64 61 74 65 72 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008356 -------- Hex Payload Start ---------- 20 20 20 20 20 20 26 70 61 72 74 69 64 3d 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008016 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001460 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 63 6f 75 6e 74 65 72 2e 73 65 78 6d 61 6e 69 61 63 6b 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000580 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000581 -------- Hex Payload Start ---------- ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f 20 46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001708 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002037 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002000 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008370 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001016 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001017 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002821 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009005 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 3b 20 53 49 4d 42 41 52 3d 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2001505 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001516 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001513 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007956 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6e 6f 6f 70 53 74 69 63 6b 20 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003254 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 00 19 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003255 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 00 19 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:5;) Parser failed - skipping rule type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003258 -------- Hex Payload Start ---------- 05 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003259 -------- Hex Payload Start ---------- 05 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003260 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 00 50 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003261 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 00 50 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003262 -------- Hex Payload Start ---------- 04 01 00 50 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003263 -------- Hex Payload Start ---------- 04 01 00 50 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003266 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 01 bb --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003267 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 01 bb --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003268 -------- Hex Payload Start ---------- 04 01 01 bb 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003269 -------- Hex Payload Start ---------- 04 01 01 bb 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003270 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 14 46 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003271 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 14 46 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003272 -------- Hex Payload Start ---------- 04 01 14 46 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003273 -------- Hex Payload Start ---------- 04 01 14 46 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003274 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 07 47 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003275 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 07 47 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003276 -------- Hex Payload Start ---------- 04 01 07 47 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003277 -------- Hex Payload Start ---------- 04 01 07 47 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003278 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 13 ba --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003279 Error here depth! -------- Hex Payload Start ---------- 05 01 00 01 20 20 20 20 13 ba --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003280 -------- Hex Payload Start ---------- 04 01 13 ba 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 900 |---------------------| Building Rule: 2003281 -------- Hex Payload Start ---------- 04 01 13 ba 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_dst, count 1, seconds 900 |---------------------| Building Rule: 2003286 Error here depth! -------- Hex Payload Start ---------- 00 00 20 01 --------- Hex Payload End ----------- type both, track by_dst, count 1, seconds 900 |---------------------| Building Rule: 2003287 Error here depth! -------- Hex Payload Start ---------- 00 00 20 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008135 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008148 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007861 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007696 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001711 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 6f 64 7a 69 6c 6c 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002988 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002990 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002991 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003450 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001321 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003377 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003375 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002984 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002987 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003251 -------- Hex Payload Start ---------- 20 20 20 74 72 69 61 6c 2e 70 68 70 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007593 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002804 -------- Hex Payload Start ---------- 20 73 70 79 77 61 72 65 61 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002805 -------- Hex Payload Start ---------- 20 73 70 79 77 61 72 65 61 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002806 -------- Hex Payload Start ---------- 20 73 70 79 61 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001489 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 73 70 79 67 61 6c 61 78 79 2e 77 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007649 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001536 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001537 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 20 73 70 79 73 70 6f 74 74 65 72 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001522 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 73 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:trojan-activity; sid:2001570; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2001571 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001442 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001731 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001992 -------- Hex Payload Start ---------- 20 68 6f 73 74 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001994 -------- Hex Payload Start ---------- 20 26 70 63 6b 5f 69 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002738 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003390 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003391 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001510 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001514 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007856 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007944 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 68 32 30 --------- Hex Payload End ----------- victim\.php\?\d\d\d\d\d uricontent:"victim.php?00000"; |---------------------| Building Rule: 2007945 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003533 -------- Hex Payload Start ---------- 20 50 4f 53 54 20 73 79 74 65 73 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001997 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002046 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001482 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001485 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007788 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 20 74 68 65 69 6e 73 74 61 6c 6c 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001488 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001729 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001734 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001890 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001895 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001646 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001647 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001648 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001334 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 65 5a 75 6c 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001335 -------- Hex Payload Start ---------- 65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001520 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 74 6f 70 61 6e 74 69 73 70 79 77 61 72 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002004 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002040 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009831 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 69 63 68 43 61 73 69 6e 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2001313 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 360 |---------------------| Building Rule: 2001315 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 360 |---------------------| Building Rule: 2001316 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002736 -------- Hex Payload Start ---------- 20 20 20 74 72 61 66 66 69 63 73 65 63 74 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002320 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/abt\?data=\S{150} uricontent:"/abt?data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2003297 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009091 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 63 72 6f 76 69 73 69 6f 6e 5f 44 4d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001995 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001998 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002999 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003000 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011148 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d uricontent:"/Pro/pro.php?mac=00-00-00-00-00-00&key=0"; |---------------------| Building Rule: 2008157 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+ uricontent:"/Pro/cnt.php?mac=00-00-00-00-00-00&key=0"; |---------------------| Building Rule: 2008158 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008180 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 35 2e 35 3b 20 57 69 6e 64 6f 77 73 20 39 38 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002348 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002350 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007995 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001525 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001526 -------- Hex Payload Start ---------- 20 76 69 72 74 75 6d 6f 6e 64 65 2e 63 6f 6d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:trojan-activity; sid:2007870; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2003442 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001317 -------- Hex Payload Start ---------- 57 65 62 48 61 6e 63 65 72 20 41 75 74 68 6f 72 69 74 79 20 53 65 72 76 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001677 -------- Hex Payload Start ---------- 50 4f 53 54 20 68 74 74 70 3a 2f 2f 70 72 69 6d 65 2e 77 65 62 68 61 6e 63 65 72 2e 63 6f 6d 20 41 67 65 6e 74 54 61 67 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2001325 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001517 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002036 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001307 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001309 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001310 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001314 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001322 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002008 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001700 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001701 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 70 75 62 6c 69 63 2e 77 69 6e 64 75 70 64 61 74 65 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003543 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 77 77 77 2e 77 69 6e 66 69 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003353 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003356 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/newuser\.php\?saff=(\d+|x.+) uricontent:"/newuser.php?saff=0"; |---------------------| Building Rule: 2008012 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:trojan-activity; sid:2008197; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2001461 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001462 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:trojan-activity; sid:2001463; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2001464 -------- Hex Payload Start ---------- 20 78 70 69 72 65 2e 69 6e 66 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2001466 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001467 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001468 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001469 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001470 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001471 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001472 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 64 6f 77 73 20 49 6e 74 65 72 6e 65 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2001491 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 78 70 69 72 65 2e 69 6e 66 6f 0d 0a --------- Hex Payload End ----------- /user\d+/counter\.htm content:"/user0/counter.htm"; |---------------------| Building Rule: 2001541 -------- Hex Payload Start ---------- 63 6f 75 6e 74 65 72 2e 68 74 6d 20 2f 75 73 65 72 30 2f 63 6f 75 6e 74 65 72 2e 68 74 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003354 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002092 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002098 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001947 -------- Hex Payload Start ---------- 20 7a 65 6e 6f 74 65 63 6e 69 63 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2002735 -------- Hex Payload Start ---------- 20 7a 65 6e 6f 74 65 63 6e 69 63 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2002737 -------- Hex Payload Start ---------- 20 7a 65 6e 6f 74 65 63 6e 69 63 6f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp?rnd="; http_uri; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&umode="; http_client_body; content:"&cn="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; classtype:trojan-activity; sid:2008798; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2003525 -------- Hex Payload Start ---------- 20 61 61 76 61 6c 75 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002740 -------- Hex Payload Start ---------- 20 61 64 73 65 72 76 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002708 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- loaderadv\d+\.jar uricontent:"loaderadv0.jar"; |---------------------| Building Rule: 2002709 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- loadadv\d+\.exe uricontent:"loadadv0.exe"; |---------------------| Building Rule: 2002710 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008681 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003451 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003475 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 42 43 2f 41 42 43 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001059 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 72 65 73 --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2003437 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 72 65 73 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008591 -------- Hex Payload Start ---------- 72 be 62 6c 6f 6f 70 00 64 56 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 72 65 73 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007799 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 7a 75 72 65 75 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011713 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 54 53 50 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2006371 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 65 61 72 53 68 61 72 65 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006379 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011710 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 69 74 43 6f 6d 65 74 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011702 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 69 74 54 6f 72 6e 61 64 6f 2f --------- Hex Payload End ----------- type limit, track by_dst, seconds 300, count 1 |---------------------| Building Rule: 2000334 -------- Hex Payload Start ---------- 00 00 00 0d 06 00 --------- Hex Payload End ----------- type limit, count 1, seconds 120, track by_src |---------------------| Building Rule: 2000357 -------- Hex Payload Start ---------- 00 00 40 09 07 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000369 -------- Hex Payload Start ---------- 2f 61 6e 6e 6f 75 6e 63 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006372 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 69 74 74 6f 72 72 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006375 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\.torrent)$ uricontent:".torrent"; |---------------------| Building Rule: 2007727 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_src |---------------------| Building Rule: 2008581 -------- Hex Payload Start ---------- 64 31 3a 61 64 32 3a 69 64 32 30 3a --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_src |---------------------| Building Rule: 2008582 -------- Hex Payload Start ---------- 64 31 3a 61 64 32 3a 69 64 32 30 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 36 3a 74 61 72 67 65 74 32 30 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 31 3a 71 39 3a 66 69 6e 64 5f 6e 6f 64 65 31 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 31 3a 71 39 3a 66 69 6e 64 5f 6e 6f 64 65 31 3a --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_src |---------------------| Building Rule: 2008583 Error here within! -------- Hex Payload Start ---------- 64 31 3a 72 64 32 3a 69 64 32 30 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 35 3a 6e 6f 64 65 73 --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_src |---------------------| Building Rule: 2008584 Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 64 31 3a 61 64 32 3a 69 64 32 30 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72 73 31 3a --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_src |---------------------| Building Rule: 2008585 -------- Hex Payload Start ---------- 64 31 3a 61 64 32 3a 69 64 32 30 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 31 3a 71 31 33 3a 61 6e 6e 6f 75 6e 63 65 5f 70 65 65 72 31 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011708 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6c 69 7a 7a 61 72 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011704 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 65 6c 75 67 65 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002814 -------- Hex Payload Start ---------- 24 4d 79 49 4e 46 4f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000332 Error here within! -------- Hex Payload Start ---------- 20 e3 20 20 00 00 00 47 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000333 Error here within! -------- Hex Payload Start ---------- 20 e3 20 20 00 00 00 59 --------- Hex Payload End ----------- type limit, track by_dst, count 1 , seconds 600 |---------------------| Building Rule: 2000340 -------- Hex Payload Start ---------- e3 0c b0 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001296 -------- Hex Payload Start ---------- e3 14 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001297 -------- Hex Payload Start ---------- e3 11 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001298 -------- Hex Payload Start ---------- e3 96 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001299 -------- Hex Payload Start ---------- e3 97 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003308 -------- Hex Payload Start ---------- e3 1b 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003309 -------- Hex Payload Start ---------- e3 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003316 -------- Hex Payload Start ---------- e3 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003311 -------- Hex Payload Start ---------- e3 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003312 -------- Hex Payload Start ---------- e3 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003314 -------- Hex Payload Start ---------- e3 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003318 -------- Hex Payload Start ---------- e3 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003319 -------- Hex Payload Start ---------- e3 98 20 01 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003323 -------- Hex Payload Start ---------- 20 e3 20 20 20 20 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 01 00 01 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003324 -------- Hex Payload Start ---------- e3 09 00 00 00 34 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011703 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 6e 68 61 6e 63 65 64 2d 43 54 6f 72 72 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011712 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 44 4d 20 33 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002673 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0b 46 6f 6c 64 65 72 53 68 61 72 65 30 81 9f 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001664 -------- Hex Payload Start ---------- 47 4e 55 54 45 4c 4c 41 20 43 4f 4e 4e 45 43 54 2f --------- Hex Payload End ----------- type both,track by_src,count 10,seconds 600 |---------------------| Building Rule: 2002760 -------- Hex Payload Start ---------- 53 43 50 40 83 44 4e 41 40 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella TCP Ultrapeer Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"X-Ultrapeer|3a| True"; nocase; threshold: type both,track by_src,count 5,seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002761; classtype:policy-violation; sid:2002761; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any 1024: -> any 1024: (msg:"ET P2P Gnutella TCP Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"200 OK|0d 0a|"; within:15; threshold: type both,track by_src,count 5,seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2007801; classtype:policy-violation; sid:2007801; rev:4;) Parser failed - skipping rule type threshold, track by_src,count 10, seconds 60 |---------------------| Building Rule: 2001796 -------- Hex Payload Start ---------- 4b 61 5a 61 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011700 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4b 54 6f 72 72 65 6e 74 2f 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011711 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 6b 74 6f 72 72 65 6e 74 2f 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009966 -------- Hex Payload Start ---------- 64 20 20 20 20 20 70 20 20 20 20 50 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001808 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 69 6d 65 57 69 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007800 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 4c 69 6d 65 57 69 72 65 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 360 |---------------------| Building Rule: 2001809 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 49 50 40 83 53 43 50 41 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009097 -------- Hex Payload Start ---------- 3d 4a d9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type limit, track by_src, seconds 300, count 1 |---------------------| Building Rule: 2009098 -------- Hex Payload Start ---------- 3d 20 d9 20 20 20 20 20 20 20 20 20 20 20 20 20 ed bb 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001035 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001036 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001037 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 8247 -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape UDP Session"; threshold: type both, count 2, seconds 60, track by_src; reference:url,msmvps.com/blogs/bradley/archive/2009/01/20/peer-to-peer-on-cnn.aspx; reference:url,doc.emergingthreats.net/2009986; classtype:trojan-activity; sid:2009986; rev:2;) Parser failed - skipping rule type limit, track by_src, count 1, seconds 600 |---------------------| Building Rule: 2010008 -------- Hex Payload Start ---------- 50 4f 53 54 20 2f 20 48 54 54 50 2f 31 2e 20 4f 73 68 74 63 70 2d 73 74 72 65 61 6d 74 79 70 65 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011701 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 20 42 69 74 54 6f 72 72 65 6e 74 2c 20 4f 70 65 72 61 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000335 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 02 03 00 6c 6f 63 20 00 62 63 70 3a 2f 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008625 -------- Hex Payload Start ---------- 20 50 61 6e 64 6f 2f 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 29 20 50 61 6e 64 6f 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2000015 -------- Hex Payload Start ---------- 57 6f 6e 6b 2d 20 00 23 77 61 73 74 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011707 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 68 61 72 65 61 7a 61 20 32 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2001188 -------- Hex Payload Start ---------- 73 6c 73 6b 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001187 -------- Hex Payload Start ---------- 09 00 00 00 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008611 -------- Hex Payload Start ---------- 5c 01 00 00 01 00 00 00 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 300 |---------------------| Building Rule: 2009099 -------- Hex Payload Start ---------- 32 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011699 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 72 61 6e 73 6d 69 73 73 69 6f 6e 2f --------- Hex Payload End ----------- type limit, track by_src, count 10, seconds 600 |---------------------| Building Rule: 2010139 Error here within! -------- Hex Payload Start ---------- 00 00 20 20 20 20 20 05 41 5a 56 45 52 01 20 61 70 70 69 64 --------- Hex Payload End ----------- type limit, count 1, seconds 120, track by_src |---------------------| Building Rule: 2010140 Error here within! Error here within! -------- Hex Payload Start ---------- 00 20 20 20 20 20 20 20 20 00 00 04 20 20 20 20 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010141 Error here within! Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 00 00 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 00 20 20 20 20 20 20 20 20 ff ff ff ff 00 00 00 00 02 05 21 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 --------- Hex Payload End ----------- type limit, track by_dst, count 10, seconds 600 |---------------------| Building Rule: 2010142 Error here within! Error here within! -------- Hex Payload Start ---------- 00 00 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 00 20 20 20 20 02 05 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010143 Error here within! Error here within! -------- Hex Payload Start ---------- 00 00 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 00 20 20 20 20 20 20 20 20 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type limit, count 1, seconds 120, track by_src |---------------------| Building Rule: 2010144 -------- Hex Payload Start ---------- 00 00 04 17 27 10 19 80 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2009967 -------- Hex Payload Start ---------- e4 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request(2)"; dsize:35; content:"|e4 20|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009968; classtype:policy-violation; sid:2009968; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Firewalled Request"; dsize:35; content:"|e4 50|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009969; classtype:policy-violation; sid:2009969; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Server Status Request"; dsize:44; content:"|8c 97|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009972; classtype:policy-violation; sid:2009972; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2011705 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 72 74 6f 72 72 65 6e 74 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011706 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 75 54 6f 72 72 65 6e 74 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"404"; http_stat_code; content:"Not Found"; http_stat_msg; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2000571 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008561 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2010725 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 70 61 63 68 65 42 65 6e 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008350 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 49 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008570 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_src |---------------------| Building Rule: 2006380 -------- Hex Payload Start ---------- 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 3d --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_src |---------------------| Building Rule: 2006402 -------- Hex Payload Start ---------- 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000418 -------- Hex Payload Start ---------- 7f 45 4c 46 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2007576 -------- Hex Payload Start ---------- 20 32 30 30 20 43 6f 6e 6e 65 63 74 69 6f 6e 20 65 73 74 61 62 6c 69 73 68 65 64 0d 0a 50 72 6f 78 79 2d 61 67 65 6e 74 3a 20 43 43 50 72 6f 78 79 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009801 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 61 72 62 6f 6e 69 74 65 20 49 6e 73 74 61 6c 6c 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003623 -------- Hex Payload Start ---------- 55 53 45 52 2d 41 67 65 6e 74 3a 20 44 6f 6d 61 69 6e 20 44 6f 73 73 69 65 72 20 75 74 69 6c 69 74 79 20 28 68 74 74 70 3a 2f 2f 43 65 6e 74 72 61 6c 4f 70 73 2e 6e 65 74 2f 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003631 -------- Hex Payload Start ---------- 43 65 6e 74 72 61 6c 4f 70 73 2e 6e 65 74 2f 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001239 -------- Hex Payload Start ---------- 45 6e 74 65 72 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 63 6f 6d 6d 61 6e 64 73 2c 20 6f 6e 65 20 70 65 72 20 6c 69 6e 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001240 -------- Hex Payload Start ---------- 42 75 69 6c 64 69 6e 67 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2e 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008860 -------- Hex Payload Start ---------- 50 61 73 73 77 6f 72 64 20 72 65 71 75 69 72 65 64 2c 20 62 75 74 20 6e 6f 6e 65 20 73 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007754 -------- Hex Payload Start ---------- 43 6c 75 62 20 57 6f 72 6c 64 20 43 61 73 69 6e 6f 73 00 00 00 00 00 --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET POLICY Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:2;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET POLICY Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:2;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET POLICY Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:2;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET POLICY Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:2;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET POLICY Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2001294 -------- Hex Payload Start ---------- 44 57 52 43 4b 2e 44 4c 4c --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dell MyWay Remote control agent"; flow:established,to_server; content:"Referer|3a| http|3a|//dell"; http_header; content:"Host|3a| "; http_header; content:"myway.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/2008051; classtype:not-suspicious; sid:2008051; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2008942 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, count 1, seconds 120, track by_src |---------------------| Building Rule: 2009475 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 44 79 6e 47 61 74 65 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003410 -------- Hex Payload Start ---------- 32 33 30 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010784 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2010785 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2010786 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 60 |---------------------| Building Rule: 2010819 Error here within! -------- Hex Payload Start ---------- 63 68 61 74 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 20 20 20 20 20 20 20 20 20 6a 61 62 62 65 72 3a 63 6c 69 65 6e 74 --------- Hex Payload End ----------- type limit, count 1, seconds 360, track by_src |---------------------| Building Rule: 2002801 -------- Hex Payload Start ---------- 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 47 6f 6f 67 6c 65 20 44 65 73 6b 74 6f 70 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008238 -------- Hex Payload Start ---------- 47 45 54 20 6d 61 69 6c 2e 6c 69 76 65 2e 63 6f 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008239 -------- Hex Payload Start ---------- 47 45 54 20 6d 61 69 6c 2e 6c 69 76 65 2e 63 6f 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008240 -------- Hex Payload Start ---------- 47 45 54 20 6d 61 69 6c 2e 6c 69 76 65 2e 63 6f 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008242 -------- Hex Payload Start ---------- 47 45 54 20 6d 61 69 6c 2e 6c 69 76 65 2e 63 6f 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009535 Error here depth! -------- Hex Payload Start ---------- 48 50 20 4a 65 74 44 69 72 65 63 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 61 73 73 77 6f 72 64 20 69 73 20 6e 6f 74 20 73 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009536 -------- Hex Payload Start ---------- 48 65 77 6c 65 74 74 2d 50 61 63 6b 61 72 64 20 46 54 50 20 50 72 69 6e 74 20 53 65 72 76 65 72 20 56 65 72 73 69 6f 6e 20 54 6f 20 70 72 69 6e 74 20 61 20 66 69 6c 65 2c 20 75 73 65 20 74 68 65 20 63 6f 6d 6d 61 6e 64 3a 20 70 75 74 20 3c 66 69 6c 65 6e 61 6d 65 3e 20 5b 70 6f 72 74 78 5d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001055 -------- Hex Payload Start ---------- 2f 70 6c 75 67 69 6e 73 2f 66 72 61 6d 65 77 6f 72 6b 2f 73 63 72 69 70 74 2f 63 6f 6e 74 65 6e 74 2e 68 74 73 20 45 78 65 63 75 74 65 46 69 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009243 -------- Hex Payload Start ---------- 00 04 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007628 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 68 79 76 65 73 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007629 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 68 79 76 65 73 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007630 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 68 79 76 65 73 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007631 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 68 79 76 65 73 2e 20 20 50 4f 53 54 20 20 70 6f 73 74 6d 61 6e 5f 73 65 63 72 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008295 -------- Hex Payload Start ---------- 20 20 20 20 20 48 6f 73 74 3a 20 61 70 70 6d 73 67 2e 67 61 64 75 2d 67 61 64 75 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008297 -------- Hex Payload Start ---------- 01 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008298 -------- Hex Payload Start ---------- 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2008300 -------- Hex Payload Start ---------- 09 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008301 -------- Hex Payload Start ---------- 02 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008302 -------- Hex Payload Start ---------- 0b 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008303 -------- Hex Payload Start ---------- 0a 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008304 -------- Hex Payload Start ---------- 08 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008305 -------- Hex Payload Start ---------- 07 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008306 -------- Hex Payload Start ---------- 01 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008307 -------- Hex Payload Start ---------- 03 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008308 -------- Hex Payload Start ---------- 06 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008309 -------- Hex Payload Start ---------- 03 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001801 Error here depth! -------- Hex Payload Start ---------- 2a 02 20 20 00 19 00 13 00 05 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001802 Error here depth! -------- Hex Payload Start ---------- 2a 02 20 20 00 0e 00 01 00 11 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001803 Error here depth! -------- Hex Payload Start ---------- 2a 02 20 20 00 12 00 01 00 1e --------- Hex Payload End ----------- |---------------------| Building Rule: 2001804 Error here depth! -------- Hex Payload Start ---------- 2a 01 20 20 20 20 20 20 00 01 00 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001805 Error here depth! -------- Hex Payload Start ---------- 2a 02 20 20 20 20 00 04 00 06 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008351 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002327 Error here within! -------- Hex Payload Start ---------- 67 6d 61 69 6c 2e 63 6f 6d 20 20 20 20 20 20 20 20 20 6a 61 62 62 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002330 -------- Hex Payload Start ---------- 67 6d 61 69 6c 2e 63 6f 6d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6a 61 62 62 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002334 -------- Hex Payload Start ---------- 67 6d 61 69 6c 2e 63 6f 6d 20 6a 61 62 62 65 72 2e 6f 72 67 20 76 65 72 73 69 6f 6e 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001241 -------- Hex Payload Start ---------- 4d 53 47 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 74 65 78 74 2f 78 2d 6d 73 6d 73 67 73 69 6e 76 69 74 65 20 41 70 70 6c 69 63 61 74 69 6f 6e 2d 4e 61 6d 65 3a 46 69 6c 65 20 54 72 61 6e 73 66 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001242 -------- Hex Payload Start ---------- 4d 53 47 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 74 65 78 74 2f 78 2d 6d 73 6d 73 67 73 69 6e 76 69 74 65 20 49 6e 76 69 74 61 74 69 6f 6e 2d 43 6f 6d 6d 61 6e 64 3a 20 41 43 43 45 50 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001243 -------- Hex Payload Start ---------- 4d 53 47 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 74 65 78 74 2f 78 2d 6d 73 6d 73 67 73 69 6e 76 69 74 65 20 49 6e 76 69 74 61 74 69 6f 6e 2d 43 6f 6d 6d 61 6e 64 3a 43 41 4e 43 45 4c 20 43 61 6e 63 65 6c 2d 43 6f 64 65 3a 52 45 4a 45 43 54 --------- Hex Payload End ----------- type limit, track by_src, count 10, seconds 3600 |---------------------| Building Rule: 2001682 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002192 -------- Hex Payload Start ---------- 43 48 47 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009375 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 6e 2d 6d 65 73 73 65 6e 67 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009376 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 53 4d 53 47 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001254 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 4a --------- Hex Payload End ----------- |---------------------| Building Rule: 2001256 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 18 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001257 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 19 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001258 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 1d --------- Hex Payload End ----------- |---------------------| Building Rule: 2001427 -------- Hex Payload Start ---------- 59 47 00 0b 00 00 00 00 00 12 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001259 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 dc --------- Hex Payload End ----------- |---------------------| Building Rule: 2001262 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 50 --------- Hex Payload End ----------- ^\x3c(REQIMG|RVWCFG)\x3e content:"<REQIMG>"; |---------------------| Building Rule: 2001263 -------- Hex Payload Start ---------- 3c 52 20 3c 52 45 51 49 4d 47 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002659 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008985 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008986 -------- Hex Payload Start ---------- 47 45 54 20 48 6f 73 74 3a 20 20 77 68 61 74 69 73 6d 79 69 70 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008987 -------- Hex Payload Start ---------- 47 45 54 20 2e 73 68 6f 77 69 70 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008988 -------- Hex Payload Start ---------- 47 45 54 20 63 6d 79 69 70 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008989 -------- Hex Payload Start ---------- 47 45 54 20 73 68 6f 77 6d 79 69 70 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009020 -------- Hex Payload Start ---------- 47 45 54 20 2e 69 70 63 68 69 63 6b 65 6e 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2000355 -------- Hex Payload Start ---------- 4e 4f 54 49 43 45 20 41 55 54 48 20 4c 6f 6f 6b 69 6e 67 20 75 70 20 79 6f 75 72 20 68 6f 73 74 6e 61 6d 65 2e 2e 2e --------- Hex Payload End ----------- type limit, count 1, seconds 360, track by_src |---------------------| Building Rule: 2002878 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 54 75 6e 65 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007765 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007766 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003155 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 fe 80 00 00 00 00 00 00 80 00 54 45 52 45 44 4f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Metacafe.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.metacafe.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003457; classtype:policy-violation; sid:2003457; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2002872 -------- Hex Payload Start ---------- 73 65 63 75 72 65 2e 6d 79 73 70 61 63 65 2e 63 6f 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009706 Error here depth! -------- Hex Payload Start ---------- 70 6c 75 67 69 6e 73 2e 6e 65 73 73 75 73 2e 6f 72 67 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 61 77 74 65 2e 63 6f 6d 2f 72 65 70 6f 73 69 74 6f 72 79 2f 69 6e 64 65 78 2e 68 74 6d 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2007638 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 6d 70 48 6f 73 74 49 6e 74 65 72 6e 65 74 43 6f 6e 6e 65 63 74 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2001597 -------- Hex Payload Start ---------- 55 4b 30 30 37 36 30 53 37 47 31 30 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; content:"POST"; http_method; content:"/nvserver"; http_uri; content:"cmd="; http_client_body; content:"&params="; http_client_body; content:"Netviewer Proxy Test"; http_client_body; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2008569 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009895 -------- Hex Payload Start ---------- 52 45 47 49 53 54 45 52 20 6f 70 65 72 61 75 6e 69 74 65 2e 63 6f 6d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Orkut.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.orkut.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003458; classtype:policy-violation; sid:2003458; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2010883 -------- Hex Payload Start ---------- 50 44 46 2d 61 72 67 75 6d 65 6e 74 73 2e 63 61 6c 6c 65 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009387 -------- Hex Payload Start ---------- 20 20 00 01 20 20 20 20 00 02 20 20 04 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010766 -------- Hex Payload Start ---------- 54 52 41 43 45 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010969 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010972 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003047 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003048 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008782 -------- Hex Payload Start ---------- 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 20 0d 0a 0d 0a 52 61 72 21 20 07 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001329 Error here depth! -------- Hex Payload Start ---------- 03 20 20 20 20 e0 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001330 Error here depth! -------- Hex Payload Start ---------- 03 20 20 20 20 d0 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001331 Error here depth! -------- Hex Payload Start ---------- 03 20 20 20 20 80 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003479 -------- Hex Payload Start ---------- 01 00 00 00 01 00 00 00 08 08 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003480 -------- Hex Payload Start ---------- 01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003481 -------- Hex Payload Start ---------- 01 00 00 00 05 00 00 02 27 27 02 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003482 -------- Hex Payload Start ---------- 01 00 00 00 05 00 00 00 27 27 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008406 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 48 6f 73 74 3a 20 77 77 77 2e 72 65 6d 6f 74 65 73 70 79 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002979 -------- Hex Payload Start ---------- 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 6f 66 20 53 43 2d 4b 65 79 4c 6f 67 20 6f 6e 20 68 6f 73 74 20 20 3c 70 3e 59 6f 75 20 77 69 6c 6c 20 72 65 63 65 69 76 65 20 61 20 6c 6f 67 20 72 65 70 6f 72 74 20 65 76 65 72 79 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008348 -------- Hex Payload Start ---------- 53 43 2d 4b 65 79 4c 6f 67 20 6c 6f 67 20 72 65 70 6f 72 74 20 53 65 65 20 61 74 74 61 63 68 65 64 20 66 69 6c 65 20 2e 6c 6f 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010781 -------- Hex Payload Start ---------- 5c 00 50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010782 -------- Hex Payload Start ---------- 5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001595 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2009998 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007763 -------- Hex Payload Start ---------- 47 45 54 20 48 6f 73 74 3a 20 63 62 73 2e 63 6f 6d 20 --------- Hex Payload End ----------- (\.smil)$ uricontent:".smil"; |---------------------| Building Rule: 2007764 -------- Hex Payload Start ---------- 47 45 54 20 48 6f 73 74 3a 20 76 69 64 65 6f 2e 6e 62 63 75 6e 69 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008120 -------- Hex Payload Start ---------- 00 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008116 -------- Hex Payload Start ---------- 00 02 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008117 -------- Hex Payload Start ---------- 00 03 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008118 -------- Hex Payload Start ---------- 00 04 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008119 -------- Hex Payload Start ---------- 00 05 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008794 -------- Hex Payload Start ---------- 17 24 1b 00 00 --------- Hex Payload End ----------- type limit, count 1, seconds 120, track by_src |---------------------| Building Rule: 2008795 -------- Hex Payload Start ---------- 17 24 1b 00 00 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 30 |---------------------| Building Rule: 2002950 -------- Hex Payload Start ---------- 47 45 54 20 2f 74 6f 72 2f 73 65 72 76 65 72 2f --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 60 |---------------------| Building Rule: 2002951 -------- Hex Payload Start ---------- 47 45 54 20 2f 74 6f 72 2f 73 74 61 74 75 73 2f --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 120 |---------------------| Building Rule: 2002952 -------- Hex Payload Start ---------- 54 4f 52 20 20 20 20 20 20 20 20 20 20 3c 69 64 65 6e 74 69 74 79 3e --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 120 |---------------------| Building Rule: 2002953 -------- Hex Payload Start ---------- 54 4f 52 20 20 20 20 20 20 20 20 20 20 3c 69 64 65 6e 74 69 74 79 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008113 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008115 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type threshold, track by_src, count 10, seconds 120 |---------------------| Building Rule: 2000328 ERROR: HOME_NET 1.2.3.4 -------- Hex Payload Start ---------- 6d 61 69 6c 20 66 72 6f 6d 3a --------- Hex Payload End ----------- type threshold, track by_src, count 10, seconds 60 |---------------------| Building Rule: 2002087 -------- Hex Payload Start ---------- 6d 61 69 6c 20 66 72 6f 6d 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007746 -------- Hex Payload Start ---------- 47 6f 6c 64 20 56 49 50 20 43 6c 75 62 20 43 61 73 69 6e 6f 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 10, seconds 60 |---------------------| Building Rule: 2002823 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 57 67 65 74 --------- Hex Payload End ----------- type both, track by_src, count 10, seconds 60 |---------------------| Building Rule: 2002825 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 72 6c --------- Hex Payload End ----------- type both, track by_src, count 10, seconds 60 |---------------------| Building Rule: 2002827 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 66 65 74 63 68 --------- Hex Payload End ----------- type both, track by_src, count 10, seconds 60 |---------------------| Building Rule: 2002935 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 6c 69 62 77 77 77 2d 70 65 72 6c 2f --------- Hex Payload End ----------- type both, track by_src, count 10, seconds 60 |---------------------| Building Rule: 2002943 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 70 79 74 68 6f 6e 2e 75 72 6c 6c 69 62 2f --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \d/\d+.jpg uricontent:"0/00jpg"; |---------------------| Building Rule: 2002866 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 77 77 77 2e 77 69 6e 70 63 61 70 2e 6f 72 67 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c --------- Hex Payload End ----------- |---------------------| Building Rule: 2002167 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 73 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011232 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 65 43 68 61 6e 62 6c 61 72 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009555 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 62 73 69 6e 74 68 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008571 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2009646 -------- Hex Payload Start ---------- 28 41 63 75 6e 65 74 69 78 20 57 65 62 20 56 75 6c 6e 65 72 61 62 69 6c 69 74 79 20 53 63 61 6e 6e 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010371 -------- Hex Payload Start ---------- 73 65 72 76 69 63 65 3a 74 68 63 3a 2f 2f 20 73 65 72 76 69 63 65 3a 74 68 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010372 -------- Hex Payload Start ---------- 54 48 43 54 48 43 54 48 43 54 48 43 54 48 43 20 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008311 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009479 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009154 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 47 65 74 43 6f 6c 75 6d 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008362 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 62 73 71 6c 62 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011011 -------- Hex Payload Start ---------- 49 4c 4d 49 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011012 -------- Hex Payload Start ---------- 49 4c 4d 49 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011013 -------- Hex Payload Start ---------- 63 61 62 6c 65 2d 64 6f 63 73 69 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011014 -------- Hex Payload Start ---------- 63 61 62 6c 65 2d 64 6f 63 73 69 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008414 Error here depth! -------- Hex Payload Start ---------- 20 20 52 61 6e 64 30 6d 53 54 52 49 4e 47 00 6e 65 74 61 73 63 69 69 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008415 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 69 73 63 6f 2d 74 6f 72 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008529 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 72 65 2d 70 72 6f 6a 65 63 74 2f 31 2e 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010954 -------- Hex Payload Start ---------- 47 45 54 20 63 72 69 6d 73 63 61 6e 6e 65 72 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008312 -------- Hex Payload Start ---------- 44 45 42 55 47 20 0d 0a 43 6f 6d 6d 61 6e 64 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011088 -------- Hex Payload Start ---------- 50 52 4f 50 46 49 4e 44 20 44 3a 70 72 6f 70 66 69 6e 64 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 61 6c 6c 70 72 6f 70 2f 3e 3c 2f 44 3a 70 72 6f 70 66 69 6e 64 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011089 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 41 56 2e 70 6d 2f 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010681 Protocol Not Supported |---------------------| Building Rule: 2008186 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 69 72 42 75 73 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008606 Error here within! -------- Hex Payload Start ---------- 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 06 0d 06 01 30 13 02 07 08 --------- Hex Payload End ----------- 530\s+(Login|User|Failed|Not) content:"530 Login"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; content:"530 Login"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010642; classtype:attempted-recon; sid:2010642; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010643; classtype:attempted-recon; sid:2010643; rev:3;) Parser failed - skipping rule SELECT.+FROM content:"SELECT0FROM"; |---------------------| Building Rule: 2009981 -------- Hex Payload Start ---------- 55 53 45 52 20 53 45 4c 45 43 54 46 52 4f 4d 20 53 45 4c 45 43 54 30 46 52 4f 4d --------- Hex Payload End ----------- DELETE.+FROM content:"DELETE0FROM"; |---------------------| Building Rule: 2009982 -------- Hex Payload Start ---------- 55 53 45 52 20 44 45 4c 45 54 45 46 52 4f 4d 20 44 45 4c 45 54 45 30 46 52 4f 4d --------- Hex Payload End ----------- INSERT.+INTO content:"INSERT0INTO"; |---------------------| Building Rule: 2009983 -------- Hex Payload Start ---------- 55 53 45 52 20 49 4e 53 45 52 54 49 4e 54 4f 20 49 4e 53 45 52 54 30 49 4e 54 4f --------- Hex Payload End ----------- UPDATE.+SET content:"UPDATE0SET"; |---------------------| Building Rule: 2009984 -------- Hex Payload Start ---------- 55 53 45 52 20 55 50 44 41 54 45 53 45 54 20 55 50 44 41 54 45 30 53 45 54 --------- Hex Payload End ----------- UNION.+SELECT content:"UNION0SELECT"; |---------------------| Building Rule: 2009985 -------- Hex Payload Start ---------- 55 53 45 52 20 55 4e 49 4f 4e 53 45 4c 45 43 54 20 55 4e 49 4f 4e 30 53 45 4c 45 43 54 --------- Hex Payload End ----------- INTO.+OUTFILE content:"INTO0OUTFILE"; |---------------------| Building Rule: 2010081 -------- Hex Payload Start ---------- 55 53 45 52 20 49 4e 54 4f 4f 55 54 46 49 4c 45 20 49 4e 54 4f 30 4f 55 54 46 49 4c 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011721 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 79 6d 69 6c 6c 73 2d 73 70 69 64 65 72 2f --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:7;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:7;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2003634 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 65 74 2d 6d 69 6e 69 6d 61 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2009483 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 72 61 62 62 65 72 --------- Hex Payload End ----------- type limit, track by_dst, count 1, seconds 60 |---------------------| Building Rule: 2009480 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 47 72 65 6e 64 65 6c 2d 53 63 61 6e 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 72 65 6e 64 65 6c 2d 73 63 61 6e 2e 63 6f 6d --------- Hex Payload End ----------- \x2Frandom\w+?\x2E(?:c(?:f[cm]|gi)|ht(?:ml?|r)|(?:ws|x)dl|a(?:sp|xd)|p(?:hp3|l)|bat|swf|vbs|do) uricontent:"/randomA."; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; content:"GET"; http_method; content:"/random"; nocase; http_uri; fast_pattern:only; uricontent:"/randomA."; threshold: type threshold, track by_dst, count 20, seconds 40; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2007802 -------- Hex Payload Start ---------- 50 41 53 53 20 20 67 70 75 73 65 72 40 68 6f 6d 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008537 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 20 34 2e 37 35 20 5b 65 6e 5d 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008627 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008416 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- type limit, track by_src,count 1, seconds 60 |---------------------| Building Rule: 2003171 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 4e 65 74 77 6f 72 6b 2d 53 65 72 76 69 63 65 73 2d 41 75 64 69 74 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010686 Protocol Not Supported |---------------------| Building Rule: 2000575 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.0 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:5; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-323.html; reference:url,doc.emergingthreats.net/2001906; classtype:protocol-command-decode; sid:2001906; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:2002842; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2010493 -------- Hex Payload Start ---------- 6a 04 48 6f 73 74 20 27 27 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 74 6f 20 63 6f 6e 6e 65 63 74 20 74 6f 20 74 68 69 73 20 4d 79 53 51 4c 20 73 65 72 76 65 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures, Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2008729 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 72 6f 67 2e 43 75 73 74 6f 6d 43 72 61 77 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009882 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 79 73 71 6c 6f 69 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009883 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009359 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 6d 61 70 20 4e 53 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009358 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4e 6d 61 70 20 53 63 72 69 70 74 69 6e 67 20 45 6e 67 69 6e 65 --------- Hex Payload End ----------- User-Agent\:[^\n]+Nessus content:"User-Agent:#Nessus"; type limit, track by_src,count 1, seconds 60 |---------------------| Building Rule: 2002664 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 4e 65 73 73 75 73 20 55 73 65 72 2d 41 67 65 6e 74 3a 00 4e 65 73 73 75 73 --------- Hex Payload End ----------- type limit,track by_src,count 1,seconds 60 |---------------------| Building Rule: 2011029 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 20 4e 65 74 73 70 61 72 6b 65 72 29 0d 0a --------- Hex Payload End ----------- type limit,track by_src,count 1,seconds 60 |---------------------| Building Rule: 2011030 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:14;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:14;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:14;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:14;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:14;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:15;) Parser failed - skipping rule |---------------------| Building Rule: 2009832 -------- Hex Payload Start ---------- 05 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^PASS\s+PRO(-|\s)*search\s+Crawler NOT IMPL not _simple(av) in REPEATING CODES content:"PASS PROsearch Crawler"; |---------------------| Building Rule: 2008179 -------- Hex Payload Start ---------- 50 41 53 53 20 20 63 72 61 77 6c 65 72 20 50 41 53 53 20 50 52 4f 73 65 61 72 63 68 20 43 72 61 77 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2009827 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 61 76 75 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2003869 -------- Hex Payload Start ---------- 43 4f 4e 4e 45 43 54 20 20 3a 32 35 20 48 54 54 50 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2003870 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3a 32 35 20 48 54 54 50 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009477 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 4e 44 20 6e 6f 74 20 65 78 69 73 74 73 20 28 73 65 6c 65 63 74 20 2a 20 66 72 6f 6d 20 6d 61 73 74 65 72 2e 2e 73 79 73 64 61 74 61 62 61 73 65 73 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009038 -------- Hex Payload Start ---------- 3f 70 61 72 61 6d 3d 61 20 20 69 66 25 32 30 6e 6f 74 25 32 38 73 75 62 73 74 72 69 6e 67 25 32 38 25 32 38 73 65 6c 65 63 74 25 32 30 25 34 30 25 34 30 76 65 72 73 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009039 -------- Hex Payload Start ---------- 3f 70 61 72 61 6d 3d 61 20 20 65 78 65 63 25 32 30 6d 61 73 74 65 72 25 32 45 25 32 45 78 70 25 35 46 63 6d 64 73 68 65 6c 6c --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2009041 -------- Hex Payload Start ---------- 3f 70 61 72 61 6d 3d 61 20 20 69 66 25 32 30 69 73 25 35 46 73 72 76 72 6f 6c 65 6d 65 6d 62 65 72 25 32 38 25 32 37 73 79 73 61 64 6d 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009042 -------- Hex Payload Start ---------- 3f 70 61 72 61 6d 3d 61 20 20 69 66 25 32 30 6e 6f 74 25 32 38 25 32 38 73 65 6c 65 63 74 25 32 30 73 65 72 76 65 72 70 72 6f 70 65 72 74 79 25 32 38 25 32 37 49 73 49 6e 74 65 67 72 61 74 65 64 53 65 63 75 72 69 74 79 4f 6e 6c 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009043 -------- Hex Payload Start ---------- 3f 70 61 72 61 6d 3d 61 20 20 65 78 65 63 25 32 30 6d 61 73 74 65 72 25 32 45 25 32 45 73 70 25 35 46 63 6f 6e 66 69 67 75 72 65 25 32 30 25 32 37 73 68 6f 77 25 32 30 61 64 76 61 6e 63 65 64 25 32 30 6f 70 74 69 6f 6e 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009044 -------- Hex Payload Start ---------- 3f 70 61 72 61 6d 3d 61 20 20 65 78 65 63 25 32 30 6d 61 73 74 65 72 25 32 45 25 32 45 78 70 25 35 46 63 6d 64 73 68 65 6c 6c 25 32 30 25 32 37 63 6d 64 25 32 30 25 32 46 43 25 32 30 25 32 35 54 45 4d 50 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010215 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 75 69 6c 32 70 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009769 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 51 4c 20 50 6f 77 65 72 20 49 6e 6a 65 63 74 6f 72 20 53 65 63 75 72 69 74 79 20 74 6f 6f 6c 20 28 4d 61 6b 65 20 73 75 72 65 20 69 74 20 69 73 20 75 73 65 64 20 77 69 74 68 20 74 68 65 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 63 6f 6e 73 65 6e 74 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008654 -------- Hex Payload Start ---------- 47 45 54 20 6d 79 56 41 52 3d 31 32 33 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 57 69 6e 64 6f 77 73 20 39 38 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; threshold: type limit, count 2, seconds 40, track by_src; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:6;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipp SIP Stress Test Detected"; content:"sip|3a|sipp@"; content:"Subject|3a| Performance Test"; offset:90; depth:90; threshold: type threshold, track by_dst, count 20, seconds 15; reference:url,sourceforge.net/projects/sipp/; reference:url,doc.emergingthreats.net/2008579; classtype:attempted-recon; sid:2008579; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2008598 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 69 70 3a 73 69 70 73 61 6b 40 --------- Hex Payload End ----------- type limit, count 1, seconds 10, track by_src |---------------------| Building Rule: 2008578 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 22 73 69 70 76 69 63 69 6f 75 73 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3;) Parser failed - skipping rule type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2011766 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 75 6e 64 61 79 64 64 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008609; classtype:attempted-recon; sid:2008609; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2008610 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 69 70 3a 73 69 76 75 73 2d 64 69 73 63 6f 76 65 72 79 40 76 6f 70 73 65 63 75 72 69 74 79 2e 6f 72 67 --------- Hex Payload End ----------- type limit, count 10, seconds 60, track by_src |---------------------| Building Rule: 2010953 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 53 46 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010956 -------- Hex Payload Start ---------- 47 45 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 53 46 2f 20 52 61 6e 67 65 3a 20 62 79 74 65 73 3d 30 2d 31 39 39 39 39 39 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2010508 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 70 72 69 6e 67 65 6e 77 65 72 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2008605 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 65 73 73 69 6f 6e 20 53 74 6f 6d 70 65 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent inbound (bot)"; flow:to_server,established; content:"User-Agent|3a| bot/"; nocase; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity; sid:2008228; rev:9;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:19;) Parser failed - skipping rule type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2009159 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 6f 61 74 61 20 64 72 61 67 6f 73 74 65 61 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (tomcat)"; flow:to_server,established; content:"Authorization|3a| Basic dG9tY2F0"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008454; classtype:web-application-attack; sid:2008454; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (manager)"; flow:to_server,established; content:"Authorization|3a| Basic bWFuYWdlcjp"; fast_pattern:15,17; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008455; classtype:web-application-attack; sid:2008455; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2009217 -------- Hex Payload Start ---------- 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 59 57 52 74 61 57 34 36 59 57 52 74 61 57 34 3d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009218 -------- Hex Payload Start ---------- 20 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 59 57 52 74 61 57 34 36 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009220 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010019 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 0d 0a 20 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\/ content:"/upnp/aaaaaaaa-aaaa-aaaa-aaaaaaaaaaaaaaaa/"; |---------------------| Building Rule: 2008092 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 75 70 6e 70 2f 20 2f 75 70 6e 70 2f 61 61 61 61 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 2f --------- Hex Payload End ----------- \/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\/ content:"/upnp/aaaaaaaa-aaaa-aaaa-aaaaaaaaaaaaaaaa/"; |---------------------| Building Rule: 2008093 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 75 70 6e 70 2f 20 2f 75 70 6e 70 2f 61 61 61 61 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008094 -------- Hex Payload Start ---------- 4d 53 45 41 52 43 48 20 2a 20 48 54 54 50 2f 31 2e 31 4d 41 4e 3a 20 73 73 64 70 3a --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:6;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2008526 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 69 70 3a 73 6d 61 70 40 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008568 -------- Hex Payload Start ---------- 69 6e 74 65 72 65 73 74 69 6e 67 2d 4d 65 74 68 6f 64 20 73 69 70 3a 31 5f 75 6e 75 73 75 61 6c 2e 55 52 49 20 74 6f 2d 62 65 21 73 75 72 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008577; classtype:attempted-recon; sid:2008577; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2007757 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 33 61 66 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011027 -------- Hex Payload Start ---------- 41 52 47 45 4e 54 49 4e 41 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008628 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 79 74 68 6f 6e 2d 75 72 6c 6c 69 62 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011720 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008417 -------- Hex Payload Start ---------- 47 45 54 20 2f 20 3f 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 79 74 68 6f 6e 2d 68 74 74 70 6c 69 62 32 --------- Hex Payload End ----------- User-Agent\:[^\n]+WHCC content:"User-Agent:#WHCC"; |---------------------| Building Rule: 2003924 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 48 43 43 20 55 73 65 72 2d 41 67 65 6e 74 3a 00 57 48 43 43 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010768 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 65 62 63 6f 6c 6c 61 67 65 2f 31 2e 31 33 35 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009158 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 65 62 73 68 61 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010960 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 68 61 74 57 65 62 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008617 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008629 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WITOOL SQL Injection Scan"; flow:to_server,established; content:"union+select"; http_raw_uri; content:"select+user"; http_raw_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| MyIE2"; fast_pattern:48,20; http_header; threshold: type threshold, track by_dst, count 2, seconds 30; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; classtype:attempted-recon; sid:2009833; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2009298 Protocol Not Supported type limit, track by_src, seconds 180, count 1 |---------------------| Building Rule: 2010715 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 64 65 20 62 79 20 5a 6d 45 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010641 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2001852 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 34 30 34 73 65 61 72 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003640 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 39 31 63 61 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009236 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 54 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003500 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 54 42 48 4f 47 65 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003506 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 6c 61 77 61 72 20 54 6f 6f 6c 62 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003336 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 6e 74 69 56 65 72 6d 69 6e 73 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003531 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 6e 74 69 56 65 72 6d 65 61 6e 73 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003604 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 65 73 6b 74 6f 70 20 57 65 62 20 53 79 73 74 65 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003608 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 65 78 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2010678 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 69 67 46 6f 6f 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003570 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 65 66 65 61 74 73 6c --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008586 Error here within! -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 20 20 56 69 70 65 72 20 34 2e 30 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010680 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 70 64 61 74 65 31 2e 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010220 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 6c 69 63 6b 41 64 73 42 79 49 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003425 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 53 20 46 69 6e 67 65 72 70 72 69 6e 74 20 4d 6f 64 75 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003428 -------- Hex Payload Start ---------- 53 46 20 49 6e 73 74 61 6c 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003429 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 32 8b 86 85 86 8e 85 86 8c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003532 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 6f 6d 6d 6f 6e 4e 61 6d 65 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2002403 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 54 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006553 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 50 55 53 48 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011271 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 28 43 75 73 74 6f 6d 53 70 79 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008457 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 61 76 55 70 64 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006386 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 65 65 70 64 6f 55 70 64 61 74 65 2f --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003613 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 45 4c 6f 61 64 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001854 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 65 7a 75 6c 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000586 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 65 7a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2001853 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 53 42 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009861 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 52 52 4e 32 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003569 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 56 4e 55 4b 45 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010717 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 61 63 65 43 6f 6f 6b 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008647 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 70 64 61 74 65 20 49 6e 74 65 72 6e 65 74 20 41 6e 74 69 76 69 72 75 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008608 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 6c 65 63 74 72 6f 53 75 6e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003489 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 6c 77 61 72 65 57 69 70 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003476 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 61 64 2d 70 72 6f 74 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003477 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 49 6e 73 74 61 6c 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003478 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 52 52 4f 52 4e 55 4b 45 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003486 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 72 69 76 65 43 6c 65 61 6e 65 72 20 55 70 64 61 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008484 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 6c 65 61 6e 63 6f 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008485 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 65 61 72 63 68 74 6f 6f 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008294 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 73 6d 55 70 64 61 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007977 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 67 69 63 20 4e 65 74 49 6e 73 74 61 6c 6c 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008000 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 4d 20 44 6f 77 6e 6c 6f 61 64 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007881 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 5f 47 45 54 5f 43 4f 4d 4d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007882 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 48 49 4e 49 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007883 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 69 72 75 73 48 65 61 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007697 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 6e 74 69 56 69 72 47 65 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007759 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 4d 20 44 6f 77 6e 6c 6f 61 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007839 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 72 50 43 43 6c 65 61 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007845 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 6f 63 75 73 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008150 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 6f 63 75 73 53 6f 66 74 77 61 72 65 2c 20 4e 65 74 49 6e 73 74 61 6c 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007690 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 45 44 65 66 65 6e 64 65 72 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007660 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 42 72 6f 77 73 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007617 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 69 72 75 73 50 72 6f 74 65 63 74 50 72 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007645 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 6c 74 69 6d 61 74 65 20 46 69 78 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007582 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 76 69 6b 69 6c 6c 65 72 20 63 74 72 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2010676 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 61 73 74 20 42 72 6f 77 73 65 72 20 53 65 61 72 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011247 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 6f 72 74 68 67 6f 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003405 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 6f 75 72 53 63 72 65 65 6e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2002021 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 45 50 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003498 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 70 72 6f 75 74 20 47 61 6d 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008372 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 6f 6e 6e 65 63 74 6f 72 20 76 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003501 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 42 4f 4e 41 53 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003652 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 6f 6f 6c 73 74 72 65 61 6d 69 6e 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003656 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 63 5f 76 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006778 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 62 6c 61 68 72 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006370 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 61 74 73 75 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003654 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 54 42 61 6e 6b --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2006782 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 7a 4e 6f 74 69 66 79 49 64 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007694 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 6d 61 6f 6b 61 61 7a 4c 64 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003655 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007693 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6e 64 44 72 69 76 65 4c 6f 61 64 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010679 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 65 6e 65 72 61 6c 20 41 6e 74 69 76 69 72 75 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008202 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 62 72 65 6e 51 75 61 74 72 6f 52 75 73 44 6c 64 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008203 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6e 64 56 65 61 6e 6f 34 47 65 74 44 6f 77 6e 6c 64 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007935 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 66 73 33 75 70 64 61 74 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007938 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 66 69 61 6e 33 6d 61 6e 61 67 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010718 -------- Hex Payload Start ---------- 47 6f 6f 74 6b 69 74 20 48 54 54 50 20 43 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2006362 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 42 53 42 61 6e 64 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2009766 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 45 54 6f 6f 6c 62 61 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN iebar Spyware User Agent (iebar)"; flow:established,to_server; content:"|3b 20|iebar"; http_header; fast_pattern:only; threshold: type limit, count 2, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2007583; classtype:trojan-activity; sid:2007583; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2001492 -------- Hex Payload Start ---------- 20 4d 79 41 70 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2001699 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 73 74 73 76 63 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011127 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 5f 49 6e 54 65 52 4e 65 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011276 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 66 6f 42 6f 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010934 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 66 6f 42 6f 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002404 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 4f 49 6e 73 74 61 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2002405 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 4f 47 55 45 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003627 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 65 78 54 72 61 63 6b 65 72 57 53 49 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010218 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 41 6e 74 69 76 69 72 75 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003625 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4b 52 53 79 73 74 65 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2009289 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 32 43 6c 65 61 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009223 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 56 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009150 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 76 69 72 75 73 5f 6b 69 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2009157 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008594 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 7a 73 68 6f 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007643 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 76 69 72 75 73 63 68 65 63 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2006413 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 69 6e 74 5f 61 67 65 6e 63 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006422 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 54 5f 47 45 54 5f 43 4f 4d 4d --------- Hex Payload End ----------- |---------------------| Building Rule: 2006418 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 75 73 65 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2006419 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 61 6e 79 63 6c 65 61 6e 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006420 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 63 73 61 66 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006421 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 63 74 6f 72 56 61 63 63 69 6e 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007809 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 65 72 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2006423 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 64 6f 63 74 6f 72 70 72 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2006429 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 68 6b 20 50 72 6f 66 69 6c 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2006430 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 63 63 65 73 73 20 64 6f 77 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008198 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 43 43 6c 65 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008200 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 76 61 63 63 69 6e 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008204 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 53 65 63 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008205 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 53 55 70 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007947 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6e 67 75 69 64 65 75 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007958 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 41 43 4b 4d 41 4e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007959 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 4c 4f 42 41 4c --------- Hex Payload End ----------- |---------------------| Building Rule: 2007900 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 61 75 63 74 69 6f 6e 70 6c 75 73 75 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007908 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 47 45 54 44 41 54 41 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007909 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 46 49 4c 45 44 4f 57 4e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007910 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 5f 46 49 4c 45 44 4f 57 4e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007927 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 44 6f 6e 6b 65 79 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007928 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 76 6f 6b 65 41 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010727 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 69 76 65 20 45 6e 74 65 72 70 72 69 73 65 20 53 75 69 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009222 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 6f 62 6f 20 4c 75 6e 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011125 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 78 41 67 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003582 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 6c 77 61 72 65 57 69 70 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002394 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 54 41 5f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware User Configuration and Setup Access User-Agent (OSSProxy)"; flow: to_server,established; content:"User-Agent|3a| OSSProxy"; http_header; threshold:type limit, count 2, seconds 300, track by_src; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/2001562; classtype:policy-violation; sid:2001562; rev:32;) Parser failed - skipping rule |---------------------| Building Rule: 2003224 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 65 67 61 75 70 6c 6f 61 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002874 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 7a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009783 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 67 61 6d 69 6e 67 20 49 6e 73 74 61 6c 6c 20 50 72 6f 67 72 61 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003928 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 62 61 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003929 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 72 61 72 5f 54 6f 6f 6c 62 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003490 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 72 61 72 5f 4b 65 79 77 6f 72 64 43 6f 6e 74 65 6e 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002395 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 50 53 79 73 74 65 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2002396 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 72 61 76 65 6c 20 55 70 64 61 74 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003529 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 73 67 50 6c 75 73 33 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003407 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 58 20 42 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2010677 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 79 20 53 65 73 73 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2010157 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 58 58 58 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2005321 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 61 76 48 65 6c 70 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007597 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 20 52 65 67 69 73 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007598 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 75 70 64 61 74 65 73 6f 64 75 69 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007599 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 61 61 61 61 62 62 62 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2011101 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 6e 50 61 67 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003926 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 57 4d 49 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009765 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 69 76 69 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008894 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 6f 70 75 70 42 6c 6f 63 6b 61 64 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008040 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 73 6f 6c 20 4e 65 74 49 6e 73 74 61 6c 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003639 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 72 6f 78 79 44 6f 77 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2003658 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 51 51 47 61 6d 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009785 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 51 76 6f 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008046 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 46 52 75 64 6f 6b 6f 70 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009796 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 65 6c 65 61 73 65 78 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008656 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 56 32 30 31 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2001702 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 75 6e 64 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001707 -------- Hex Payload Start ---------- 53 41 48 20 41 67 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2011120 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 61 76 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003644 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 69 63 6b 6c 6f 61 64 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2001869 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 69 64 65 73 65 61 72 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008201 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 69 64 65 62 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008892 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6d 69 6c 65 77 61 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008500 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6f 67 6f 75 49 4d 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010675 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6f 67 6f 75 45 78 70 6c 6f 72 65 72 4d 69 6e 69 53 65 74 75 70 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008145 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 52 49 6e 73 74 61 6c 6c 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008146 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 70 65 65 64 52 75 6e 6e 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008151 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 52 52 65 63 6f 76 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003499 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 70 79 44 61 77 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003399 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 70 79 48 65 61 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2005322 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 70 79 4c 6f 63 6b 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2005318 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 66 65 74 63 68 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009994 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 54 45 52 4f 49 44 20 44 6f 77 6e 6c 6f 61 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2001891 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 61 67 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002400 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 2e 20 0a 20 2e 20 2e 20 0a 20 0a 20 2e 20 2e --------- Hex Payload End ----------- type limit, count 1, track by_src, seconds 360 |---------------------| Building Rule: 2002402 -------- Hex Payload Start ---------- 55 74 69 6c 4d 69 6e 64 20 48 54 54 50 47 65 74 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2003205 -------- Hex Payload Start ---------- 49 6e 66 6f 72 6d 65 72 20 66 72 6f 6d 20 52 42 43 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003243 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 20 41 67 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003337 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 75 70 64 61 74 65 20 6d 20 65 20 2e 20 2e 20 2e 20 76 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (ms)"; flow:to_server,established; content:"User-Agent|3a| ms|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:trojan-activity; sid:2003497; rev:13;) Parser failed - skipping rule |---------------------| Building Rule: 2003492 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 0d 0a 20 20 0a 20 3d 20 0a 20 2e 20 74 20 6d 20 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010908 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 0d 0a 20 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003530 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 2b 28 63 6f 6d 70 61 74 69 62 6c 65 3b 2b 4d 53 49 45 2b 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (DIALER)"; flow:to_server,established; content:"User-Agent|3a| DIALER"; nocase; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003566; classtype:trojan-activity; sid:2003566; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (update)"; flow:to_server,established; content:"User-Agent|3a| update|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003583; classtype:trojan-activity; sid:2003583; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:trojan-activity; sid:2003585; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; content:"User-Agent|3a| WinXP Pro Service Pack"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003586; classtype:trojan-activity; sid:2003586; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent outbound (bot)"; flow:to_server,established; content:"User-Agent|3a| bot/"; http_header; nocase; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity; sid:2003622; rev:12;) Parser failed - skipping rule |---------------------| Building Rule: 2003626 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"User-Agent|3a| MSIE"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; classtype:trojan-activity; sid:2003657; rev:15;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; content:"User-Agent|3a| HTTPTEST"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; classtype:trojan-activity; sid:2003927; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Snatch-System)"; flow:to_server,established; content:"User-Agent|3a| Snatch-System"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; classtype:trojan-activity; sid:2003930; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; content:"User-Agent|3a| KKTone"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; classtype:trojan-activity; sid:2004443; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (MyAgent)"; flow:to_server,established; content:"User-Agent|3a| MyAgent"; http_header; nocase; content:!"Host|3a 20|driverdl.lenovo.com.cn|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; classtype:trojan-activity; sid:2005320; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2006357 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 45 53 54 0d 0a 20 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2006361 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 75 61 69 5f 48 75 61 69 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (MYURL)"; flow:to_server,established; content:"User-Agent|3a| MYURL|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; classtype:trojan-activity; sid:2006365; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2007570 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 75 6d 6d 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007575 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 6e 74 69 53 70 79 77 61 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007648 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 58 58 58 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007659 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 51 64 72 42 69 20 53 74 61 72 74 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007666 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 6e 73 74 61 6c 6c 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007667 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 75 6e 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007772 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 28 63 6f 6d 70 61 74 69 62 6c 65 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007854 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007859 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 69 63 72 6f 73 6f 66 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007860 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 36 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007868 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 69 72 65 66 6f 78 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007884 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 78 61 6d 70 6c 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007885 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 64 6f 77 6e 6c 6f 61 64 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007899 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 5f 43 4f 4e 4e 45 43 54 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007921 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 78 70 6c 6f 72 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007929 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007942 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007943 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007946 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 6f 70 75 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007880 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 2d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007948 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 2d 2d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007991 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 6e 6b 6e 6f 77 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007993 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007994 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 0d 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008013 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008038 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 43 53 29 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (c \windows)"; flow:to_server,established; content:"User-Agent|3a| c|3a 5c|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; classtype:trojan-activity; sid:2008043; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Version 1.23)"; flow:to_server,established; content:"User-Agent|3a| Version "; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; classtype:trojan-activity; sid:2008048; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2008052 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 0d 0a 20 2e 20 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008066 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; content:"User-Agent|3a| Mozilla-web"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; classtype:trojan-activity; sid:2008084; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (INSTALLER)"; flow:to_server,established; content:"User-Agent|3a| INSTALLER|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; classtype:trojan-activity; sid:2008096; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (IEMGR)"; flow:to_server,established; content:"User-Agent|3a| IEMGR|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; classtype:trojan-activity; sid:2008097; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (GOOGLE)"; flow:to_server,established; content:"User-Agent|3a| GOOGLE|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; classtype:trojan-activity; sid:2008098; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (RBR)"; flow:to_server,established; content:"User-Agent|3a| RBR|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; classtype:trojan-activity; sid:2008147; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; content:"User-Agent|3a| MS Internet Explorer|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; classtype:trojan-activity; sid:2008181; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Installer)"; flow:to_server,established; content:"User-Agent|3a| Installer|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; classtype:trojan-activity; sid:2008184; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (QQ)"; flow:to_server,established; content:"User-Agent|3a| QQ|0d 0a|"; http_header; content:!"|0d 0a|Q-UA|3a 20|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:16;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (TestAgent)"; flow:to_server,established; content:"User-Agent|3a| TestAgent|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; classtype:trojan-activity; sid:2008208; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; content:"User-Agent|3a| SERVER"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; classtype:trojan-activity; sid:2008209; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2008210 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 61 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WinProxy)"; flow:to_server,established; content:"User-Agent|3a| WinProxy|0d 0a|"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; classtype:trojan-activity; sid:2008211; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; content:"User-Agent|3a| sickness"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; classtype:trojan-activity; sid:2008214; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (up2dash updater)"; flow:to_server,established; content:"User-Agent|3a| up2dash"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; classtype:trojan-activity; sid:2008215; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; content:"User-Agent|3a| NSIS_DOWNLOAD"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; classtype:trojan-activity; sid:2008216; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; content:"User-Agent|3a| Mozilla "; http_header; content:" biz|0d 0a|"; within:15; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; classtype:trojan-activity; sid:2008231; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (chek)"; flow:to_server,established; content:"User-Agent|3a| chek|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008253; classtype:trojan-activity; sid:2008253; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; content:"User-Agent|3a| Nimo Software HTTP"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; classtype:trojan-activity; sid:2008257; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (AutoHotkey)"; flow:to_server,established; content:"User-Agent|3a| AutoHotkey"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008259; classtype:trojan-activity; sid:2008259; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WebForm 1)"; flow:to_server,established; content:"User-Agent|3a| WebForm"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (opera)"; flow:to_server,established; content:"User-Agent|3a| opera|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; classtype:trojan-activity; sid:2008264; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Zilla)"; flow:to_server,established; content:"User-Agent|3a| Zilla|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; classtype:trojan-activity; sid:2008266; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (123)"; flow:to_server,established; content:"User-Agent|3a| 123|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; classtype:trojan-activity; sid:2008343; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (angel)"; flow:to_server,established; content:"User-Agent|3a| angel|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; classtype:trojan-activity; sid:2008355; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Accessing)"; flow:to_server,established; content:"User-Agent|3a| Accessing|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; classtype:trojan-activity; sid:2008361; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (ISMYIE)"; flow:to_server,established; content:"User-Agent|3a| ISMYIE|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; classtype:trojan-activity; sid:2008363; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2008365 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 6c 61 79 74 65 63 68 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008378 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 72 72 43 6f 64 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (svchost)"; flow:established,to_server; content:"User-Agent|3a| svchost"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; classtype:trojan-activity; sid:2008391; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; content:"User-Agent|3a| ReadFileURL|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; classtype:trojan-activity; sid:2008400; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; content:"User-Agent|3a| PcPcUpdater"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; classtype:trojan-activity; sid:2008413; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Inet_read)"; flow:established,to_server; content:"User-Agent|3a| Inet_read"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; classtype:trojan-activity; sid:2008422; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (CFS Agent)"; flow:established,to_server; content:"User-Agent|3a| CFS Agent"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; classtype:trojan-activity; sid:2008423; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; content:"User-Agent|3a| CFS_DOWNLOAD"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; classtype:trojan-activity; sid:2008424; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; content:"User-Agent|3a| HTTP Downloader"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; classtype:trojan-activity; sid:2008428; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; content:"User-Agent|3a| AdiseExplorer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; classtype:trojan-activity; sid:2008427; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (HttpDownload)"; flow:established,to_server; content:"User-Agent|3a| HttpDownload"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; classtype:trojan-activity; sid:2008429; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Download App)"; flow:established,to_server; content:"User-Agent|3a| Download App"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; classtype:trojan-activity; sid:2008440; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (hacker)"; flow:established,to_server; content:"User-Agent|3a| hacker"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; classtype:trojan-activity; sid:2008460; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; content:"User-Agent|3a| ieguideupdate"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; classtype:trojan-activity; sid:2008463; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (adsntD)"; flow:established,to_server; content:"User-Agent|3a| adsntD"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; classtype:trojan-activity; sid:2008464; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (NULL)"; flow:established,to_server; content:"User-Agent|3a| NULL"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; classtype:trojan-activity; sid:2008488; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (ieagent)"; flow:established,to_server; content:"User-Agent|3a| ieagent"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; classtype:trojan-activity; sid:2008494; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (antispyprogram)"; flow:established,to_server; content:"User-Agent|3a| antispyprogram"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; classtype:trojan-activity; sid:2008495; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; content:"User-Agent|3a| SUiCiDE"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; classtype:trojan-activity; sid:2008504; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; content:"User-Agent|3a| |5c|xa2|5c|xa2HttpClient|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; classtype:trojan-activity; sid:2008510; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (C slash)"; flow:established,to_server; content:"User-Agent|3a| C|3a 5c|"; http_header; fast_pattern; content:!"|5c|Citrix|5c|"; http_header; content:!"|5c|Panda S"; nocase; http_header; content:!"|5c|Mapinfo"; http_header; nocase; threshold:type limit,count 2,track by_src,seconds 300; classtype:trojan-activity; sid:2008512; rev:16;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; content:"User-Agent|3a| msIE"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; classtype:trojan-activity; sid:2008513; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; content:"User-Agent|3a| AVP200"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; classtype:trojan-activity; sid:2008514; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (winlogon)"; flow:established,to_server; content:"User-Agent|3a| winlogon"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; classtype:trojan-activity; sid:2008544; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; content:"User-Agent|3a| Internet HTTP"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; classtype:trojan-activity; sid:2008564; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; content:"User-Agent|3a| RLMultySocket|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; classtype:trojan-activity; sid:2008603; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent Detected (Compatible)"; flow:established,to_server; content:"User-Agent|3a| Compatible|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008657; classtype:trojan-activity; sid:2008657; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent Detected (GetUrlSize)"; flow:established,to_server; content:"User-Agent|3a| GetUrlSize|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008658; classtype:trojan-activity; sid:2008658; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent Detected (aguarovex-loader v3.221)"; flow:established,to_server; content:"User-Agent|3a| aguarovex-loader v"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008663; classtype:trojan-activity; sid:2008663; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0)"; flow:established,to_server; content:"User-Agent|3a| WINS_HTTP_SEND"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008734; classtype:trojan-activity; sid:2008734; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2008735 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 74 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008742 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 62 64 77 69 6e 72 75 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008743 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 62 64 73 63 6c 6b --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (checkonline)"; flow:established,to_server; content:"User-Agent|3a| checkonline|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008749; classtype:trojan-activity; sid:2008749; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Kvadrlson 1.0)"; flow:established,to_server; content:"User-Agent|3a| Kvadrlson "; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008756; classtype:trojan-activity; sid:2008756; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (miip)"; flow:established,to_server; content:"User-Agent|3a| miip|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008797; classtype:trojan-activity; sid:2008797; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Mozil1a)"; flow:established,to_server; content:"User-Agent|3a| Mozil1a"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008847; classtype:trojan-activity; sid:2008847; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Errordigger.com related)"; flow:established,to_server; content:"User-Agent|3a| min|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008912; classtype:trojan-activity; sid:2008912; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/1.0 (compatible|3b| MSIE 8.0|3b|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008913; classtype:trojan-activity; sid:2008913; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (xr - Worm.Win32.VB.cj related)"; flow:established,to_server; content:"User-Agent|3a| xr|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008914; classtype:trojan-activity; sid:2008914; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (HELLO)"; flow:established,to_server; content:"User-Agent|3a| HELLO|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008941; classtype:trojan-activity; sid:2008941; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Yandesk)"; flow:established,to_server; content:"User-Agent|3a| Yandesk|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008916; classtype:trojan-activity; sid:2008916; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent pricers.info related (section)"; flow:established,to_server; content:"User-Agent|3a| sections|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008919; classtype:trojan-activity; sid:2008919; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (IE/1.0)"; flow:to_server,established; content:"User-Agent|3a| IE/1.0|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; classtype:trojan-activity; sid:2008956; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2008974 !216.115.208.0 SELF>DST -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 29 0d 0a 20 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008983 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6c 61 63 6b 53 75 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009021 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 45 5f 36 2e 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009027 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 69 6c 65 44 6f 77 6e 6c 6f 61 64 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009111 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 65 74 5f 73 69 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009124 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 45 54 4a 4f 42 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (runUpdater.html)"; flow:established,to_server; content:"User-Agent|3a| runUpdater|2e|html"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009355; classtype:trojan-activity; sid:2009355; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (runPatch.html)"; flow:established,to_server; content:"User-Agent|3a| runPatch|2e|html"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009356; classtype:trojan-activity; sid:2009356; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2009438 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 38 20 5b 72 75 5d 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 3b 20 55 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009439 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 65 6c 70 53 72 76 63 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009445 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 67 61 76 61 44 77 6e 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2009486 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 57 69 6e 64 6f 77 73 2b 4e 54 2b 35 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Session) - Possible Trojan-Clicker"; flow:established,to_server; content:"User-Agent|3a| Session|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009512; classtype:trojan-activity; sid:2009512; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Poker)"; flow:to_server,established; content:"User-Agent|3a| Poker|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009534; classtype:trojan-activity; sid:2009534; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Loands) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent\: Loands|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009537; classtype:trojan-activity; sid:2009537; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent\: ms_ie|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009538; classtype:trojan-activity; sid:2009538; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2009540 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 43 46 6c 61 73 68 42 61 6e 67 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent\: Forthgoner|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009547; classtype:trojan-activity; sid:2009547; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent|3a| InHold|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009544; classtype:trojan-activity; sid:2009544; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2009545 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 5f 54 45 53 54 5f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (INet)"; flow:established,to_server; content:"User-Agent|3a| INet|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009703; classtype:trojan-activity; sid:2009703; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2009930 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 73 65 72 20 41 67 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009991 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 79 49 45 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009995 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 4e 41 4e 44 4f 4e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007961 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 67 65 74 20 33 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010129 -------- Hex Payload Start ---------- 47 65 54 20 48 74 74 50 20 0d 0a 48 6f 53 54 3a 20 20 55 73 45 52 2d 41 67 45 4e 74 3a 20 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010137 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6d 65 33 32 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010265 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 30 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010333 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 72 61 7a 79 42 72 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007827 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010461 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 6e 61 3b 20 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010595 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 3f 3f 3f --------- Hex Payload End ----------- |---------------------| Building Rule: 2010599 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010868 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 2d 20 4d 53 49 45 20 36 2e 30 2d 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 2d 20 53 56 31 2d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010904 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 30 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2010905 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 30 2e --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2011146 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 20 4d 61 73 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011149 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 65 62 63 6f 75 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011678 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 5f 51 75 65 72 79 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011679 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 64 62 63 6f 75 6e 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011718 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 61 6e 67 65 43 68 65 63 6b 2f 30 2e 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011719 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 4f 47 4f 55 5f 55 50 44 41 54 45 52 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011225 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 73 6b 49 6e 73 74 61 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2011226 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 65 46 61 73 74 53 65 74 75 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011227 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 5f 49 6e 65 74 63 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011229 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 75 67 67 65 73 74 69 6f 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011238 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 53 50 33 20 57 49 4e 4c 44 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2001871 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 53 41 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007600 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 72 79 4d 65 64 69 61 5f 44 4d 5f --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2001996 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 49 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010346 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 3b 20 4d 61 64 65 20 62 79 20 55 6c 74 69 6d 61 74 65 48 61 63 6b 65 72 7a 54 65 61 6d 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009993 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 61 63 63 69 6e 65 4b 69 6c 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2007869 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 6f 6d 62 61 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2006392 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 54 52 65 63 6f 76 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006393 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 54 49 6e 73 74 61 6c 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008141 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 54 6f 75 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010889 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 5c 3a 20 4d 6f 7a 7a 69 6c 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008190 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 42 75 74 6c 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003544 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 46 69 78 4d 61 73 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003545 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 46 69 78 20 4d 61 73 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003567 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 4e 53 20 45 78 74 72 61 63 74 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003470 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 70 64 61 74 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003527 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 53 6f 66 74 77 61 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003528 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 65 74 49 6e 73 74 61 6c 6c 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011248 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 58 69 65 48 6f 6e 67 57 65 69 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003383 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 3b 20 48 62 54 6f 6f 6c 73 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2006780 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 5a 43 2d 42 72 69 64 67 65 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006781 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 5a 43 20 58 4d 4c 2d 52 50 43 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2011691 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 69 6e 62 61 6c 6c 43 6f 72 70 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2011087 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 6f 6d 74 6f 75 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011105 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 2d 73 63 61 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002169 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 57 6f 6e 53 65 61 72 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000466 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 65 78 70 6c 6f 72 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008558 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 57 69 6e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011106 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6c 69 6e 65 67 75 69 64 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003345 -------- Hex Payload Start ---------- 44 6f 77 6e 6c 6f 61 64 20 55 42 41 67 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011090 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 65 63 75 76 61 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008503 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 5a 43 4f 4d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003614 -------- Hex Payload Start ---------- 4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003615 -------- Hex Payload Start ---------- 4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011199 -------- Hex Payload Start ---------- 54 00 42 00 4c 00 5f 00 41 00 56 00 49 00 53 00 4f 00 53 00 56 00 42 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009487 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AVKiller with Backdoor checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&ip_int="; http_client_body; nocase; content:"&os="; http_client_body; nocase; content:"&av="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009812; classtype:trojan-activity; sid:2009812; rev:7;) Parser failed - skipping rule &HD=[A-F0-9]{32}& uricontent:"&HD=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&"; |---------------------| Building Rule: 2009203 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011677 -------- Hex Payload Start ---------- 20 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 5f 49 6e 65 74 63 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008502 -------- Hex Payload Start ---------- 20 20 20 20 20 26 61 64 64 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008282 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008483 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008511 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010909 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e dd a4 a3 d4 a6 d4 d3 d1 c8 a0 a7 a1 d3 c8 d1 87 d7 87 c8 a7 a6 d4 a3 c8 d3 d1 d3 d2 d1 a0 dc dd a4 d2 d4 d5 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010910 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e d5 d4 d2 d1 a1 d7 a3 a6 c8 d2 a6 a7 d3 c8 d1 84 d7 d7 c8 dd d2 a6 d2 c8 d2 a7 a7 d2 d7 a4 d6 d7 a3 d4 dc a3 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010911 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e dc dd a1 dc d0 dd a3 a6 c8 a1 d5 a4 d7 c8 d1 83 d4 86 c8 a7 dd d1 d4 c8 d7 d6 d7 a4 a7 d6 d0 d2 a0 d2 a6 dd 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010912 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e a3 d3 a6 d1 d6 a0 d4 a4 c8 d4 d0 d0 d4 c8 d1 d5 d5 d5 c8 a4 d1 dd d6 c8 a6 d6 d3 d4 dc d3 dc a4 a0 a6 d1 d4 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010914 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e a0 a4 d2 a4 d7 a0 a7 d2 c8 d4 a0 d1 dc c8 d1 81 d0 83 c8 a7 d1 a1 dd c8 a1 d3 d3 d1 d0 a7 d2 d1 d1 d5 a0 d6 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010915 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e a0 d7 a4 a6 d0 d5 dd dc c8 d6 dd d7 d5 c8 d1 d6 83 80 c8 dd a4 d1 a1 c8 a4 d2 d5 d7 dd a3 a4 a1 dd a6 d7 dd 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010916 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e d6 dd d1 a0 a7 a0 d7 a6 c8 a3 dc a0 a4 c8 d1 83 d3 87 c8 dc d1 a0 a3 c8 a6 dc a1 d7 a1 a4 d0 dd a3 a1 d4 d6 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010917 -------- Hex Payload Start ---------- c2 e5 e5 e5 9e d1 a3 d1 a3 d5 a1 dd dd c8 a0 d2 d4 d0 c8 d1 87 d4 83 c8 a7 d6 d4 d4 c8 d3 d4 a0 d0 d6 d5 a6 d7 a6 dd a3 a6 98 e5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009054 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Asprox Data Post to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=|22|sid|22 0d 0a 0d 0a|"; http_client_body; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; http_client_body; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; http_client_body; nocase; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; classtype:trojan-activity; sid:2010270; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2009450 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010695 -------- Hex Payload Start ---------- ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff --------- Hex Payload End ----------- |---------------------| Building Rule: 2010696 -------- Hex Payload Start ---------- cc cc cc cc cd cc cc cc cd cc cc cc cc cc cc cc --------- Hex Payload End ----------- |---------------------| Building Rule: 2009516 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 63 62 54 69 74 3d 20 2e 20 63 62 42 6f 64 79 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008461 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008465 -------- Hex Payload Start ---------- 6c 3c 20 3e 20 20 62 69 64 3d 20 62 76 65 72 3d 20 62 69 70 3d 20 62 6e 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2009240 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN General Win32 Backdoor Checkin POST"; flow:established,to_server; content:"Admin="; depth:6; http_client_body; content:"&UserName="; http_client_body; content:"&IsProxy="; http_client_body; flowbits:isset,ET.bd1; reference:url,doc.emergingthreats.net/2009241; classtype:trojan-activity; sid:2009241; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2008005 -------- Hex Payload Start ---------- 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 43 44 2d 4b 65 79 20 50 61 63 6b 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 50 72 6f 64 75 63 74 20 49 44 20 43 44 20 4b 65 79 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007922 -------- Hex Payload Start ---------- 53 74 61 74 75 73 2a 28 49 64 6c 65 2e 2e 2e 29 2a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007979 -------- Hex Payload Start ---------- 56 65 72 73 69 6f 6e 28 2a 20 29 2a --------- Hex Payload End ----------- kill\-\d+.\d+.\d+.\d+\:\d+%\d content:"kill-0000000:0%0"; |---------------------| Building Rule: 2007980 -------- Hex Payload Start ---------- 6b 69 6c 6c 2d 20 6b 69 6c 6c 2d 30 30 30 30 30 30 30 3a 30 25 30 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007981 -------- Hex Payload Start ---------- 53 74 61 74 75 73 28 2a 55 44 50 20 41 74 74 61 63 6b 20 52 75 6e 6e 69 6e 67 21 2a 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007982 -------- Hex Payload Start ---------- ff ff ff ff 20 20 6f 77 6e 20 79 6f 75 20 62 69 74 63 68 21 20 01 01 01 01 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008507 -------- Hex Payload Start ---------- 73 74 61 74 65 3a 20 30 20 2d 20 7a 6f 6d 62 69 65 20 69 73 20 72 65 61 64 79 20 66 6f 72 20 63 6f 6e 74 72 6f 6c --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; content:".php"; http_uri; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; http_header; nocase; content:"from="; http_client_body; nocase; content:"|26|FromMail="; http_client_body; nocase; content:"|26|destino="; http_client_body; nocase; content:"|26|assunto="; http_client_body; nocase; content:"|26|mensagem="; http_client_body; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008331; classtype:trojan-activity; sid:2008331; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"tipo=cli&cli="; http_client_body; reference:url,doc.emergingthreats.net/2009296; classtype:trojan-activity; sid:2009296; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2003555 -------- Hex Payload Start ---------- cf 8f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 26 26 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003556 -------- Hex Payload Start ---------- cf ab a8 a7 ae cf --------- Hex Payload End ----------- |---------------------| Building Rule: 2003557 -------- Hex Payload Start ---------- cf ab a8 a4 ae cf 26 26 26 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003558 -------- Hex Payload Start ---------- cf 9b 8c 8e 8a 9b cf 20 20 20 20 20 95 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003559 -------- Hex Payload Start ---------- cf 84 82 8d 80 9b cf 95 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003560 -------- Hex Payload Start ---------- cf 8e 80 84 84 8c 9e 80 87 cf --------- Hex Payload End ----------- |---------------------| Building Rule: 2003561 -------- Hex Payload Start ---------- cf 9e 80 87 85 80 9a 9d cf 20 20 20 20 20 20 20 20 20 20 26 26 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003562 -------- Hex Payload Start ---------- 99 9b 86 8a 85 80 9a 9d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003565 -------- Hex Payload Start ---------- cf 9d 82 99 9b 86 8a cf 20 20 20 20 20 20 20 20 20 20 26 26 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003563 -------- Hex Payload Start ---------- a7 a0 a7 ae 95 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003564 -------- Hex Payload Start ---------- 9a 86 8a 82 9a 86 87 26 26 26 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003936 -------- Hex Payload Start ---------- cf 8f 80 9b 9a 9d cf 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; depth:55; http_header; content:"Content-Length|3a20|"; http_header; content:"VISITED_URL"; depth:100; http_client_body; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; classtype:trojan-activity; sid:2003937; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"TIPO=CLIENTE&NOME="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007901; classtype:trojan-activity; sid:2007901; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2007940 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007957 -------- Hex Payload Start ---------- 86 71 3b 72 50 61 7d 95 5f 61 46 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007984 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007999 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 0d 0a 20 76 69 74 3d 20 26 62 6b 3d 26 64 61 64 6f 73 3d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; content:"/envio.php?"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2008267; classtype:trojan-activity; sid:2008267; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2008519 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009090 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5b 43 6f 6e 74 72 6f 6c 69 6e 66 6f 5d 20 43 6e 74 49 6e 66 6f 3d 20 55 73 65 53 65 70 43 6f 6e 74 72 6f 6c 3d 20 4e 61 6d 65 73 3d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN General Banker.PWS POST Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"IDMAQUINA="; http_client_body; reference:url,doc.emergingthreats.net/2009127; classtype:trojan-activity; sid:2009127; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2009235 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009447 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 29 0d 0a 48 6f 73 74 3a 20 20 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bancos/Banker Info Stealer Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; nocase; content:"op="; http_client_body; nocase; content:"servidor="; http_client_body; nocase; content:"senha="; http_client_body; nocase; content:"usuario="; http_client_body; nocase; content:"base="; http_client_body; nocase; content:"sgdb="; http_client_body; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; classtype:trojan-activity; sid:2009471; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2009550 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 0d 0a 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009750 -------- Hex Payload Start ---------- 48 45 41 44 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009862 -------- Hex Payload Start ---------- 5b 53 5d 41 44 44 4e 45 57 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009863 -------- Hex Payload Start ---------- 5b 53 5d 68 65 6c 6c 6f 5b 00 00 00 --------- Hex Payload End ----------- \?id=[A-Za-z]+_[A-Za-z0-9]+& uricontent:"?id=A_A&"; |---------------------| Building Rule: 2009408 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \/dl\/AcroIEHelpe(r)?(\d)?\.dll NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/dl/AcroIEHelpe.dll"; |---------------------| Building Rule: 2009409 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002977 -------- Hex Payload Start ---------- 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 39 20 44 69 73 70 6f 73 69 74 69 76 6f 20 69 6e 73 74 61 6c 61 64 6f 2e 20 4d 61 71 75 69 6e 61 20 70 72 6f 6e 74 61 20 70 61 72 61 20 75 73 6f 2e 20 44 61 74 61 3a 20 20 48 6f 72 61 3a 20 20 44 65 76 65 6c 6f 70 6d 65 6e 74 20 62 79 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004440 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 78 61 6d 70 6c 65 44 4c --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banload HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2007863; classtype:trojan-activity; sid:2007863; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2007864 -------- Hex Payload Start ---------- 20 20 2b 2b 2b 2b 2b 2b 2b 2b 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; content:"/envia.php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"praquem="; http_client_body; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:trojan-activity; sid:2008256; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"quem="; depth:5; http_client_body; content:"praquem="; http_client_body; fast_pattern; offset:5; nocase; reference:url,doc.emergingthreats.net/2008283; classtype:trojan-activity; sid:2008283; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2008320 -------- Hex Payload Start ---------- 55 72 75 63 68 6f 6d 69 6f 6e 6f 20 74 72 6f 6a 61 6e 61 2c 20 77 70 69 73 7a 20 68 65 6c 70 20 61 62 79 20 75 7a 79 73 6b 61 63 20 70 6f 6d 6f 63 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banload POST Checkin (dados)"; flow:established,to_server; content: "POST"; nocase; http_method; content:"PC="; http_client_body; nocase; content: "&USER="; http_client_body; nocase; content:"&HASH="; http_client_body; nocase; content:"&DADOS="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008477; classtype:trojan-activity; sid:2008477; rev:6;) Parser failed - skipping rule mac=[0-9A-Fa-f]{12}& uricontent:"mac=000000000000&"; |---------------------| Building Rule: 2009453 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010266 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Basine Trojan Checkin"; flow:established,to_server; content:"a="; http_client_body; content:"&b=reported"; http_client_body; content:"&d=report"; http_client_body; reference:url,doc.emergingthreats.net/2007692; classtype:trojan-activity; sid:2007692; rev:7;) Parser failed - skipping rule \?type=slg&id=[0-9A-Z]{18} uricontent:"?type=slg&id=000000000000000000"; |---------------------| Building Rule: 2009351 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Urlzone/Bebloh Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"N="; http_client_body; content:"&ID="; http_client_body; content:"&DATA="; http_client_body; reference:url,doc.emergingthreats.net/2009520; classtype:trojan-activity; sid:2009520; rev:7;) Parser failed - skipping rule \/ff\.ie\?rnd=\x2d?\d uricontent:"/ff.ie?rnd=0"; |---------------------| Building Rule: 2010565 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008273 -------- Hex Payload Start ---------- 09 00 00 9a 20 20 20 cc 20 20 20 74 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008274 -------- Hex Payload Start ---------- 05 00 00 00 bc 20 20 20 cc --------- Hex Payload End ----------- |---------------------| Building Rule: 2009128 -------- Hex Payload Start ---------- 50 49 4e 47 20 3a 69 2e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009129 -------- Hex Payload Start ---------- 50 4f 4e 47 20 3a 69 2e 0d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&bid="; http_client_body; nocase; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,doc.emergingthreats.net/2010875; classtype:trojan-activity; sid:2010875; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BlackEnergy v2.x Plugin Download Request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; nocase; content:"getp="; http_client_body; content:"id="; http_client_body; content:"ln="; http_client_body; content:"bid="; http_client_body; content:"nt="; http_client_body; content:"cn="; http_client_body; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010886; classtype:trojan-activity; sid:2010886; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:trojan-activity; sid:2009297; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2008541 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010790 -------- Hex Payload Start ---------- 0d 0a 0d 0a 21 6e 65 77 5f 63 6f 6e 66 69 67 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009353 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009354 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009360 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 26 71 3d 20 55 73 65 72 2d 41 67 65 6e 74 3a 0d 0a --------- Hex Payload End ----------- \x0d\x0aEntity-Info\x3a\s+\d+\x3a\d content:" Entity-Info: 0:0"; |---------------------| Building Rule: Protocol Not Supported \/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$ uricontent:"/get.php?c=AAAAAAAA&d=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2010071 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\- uricontent:"&p=00000-00000-"; |---------------------| Building Rule: 2010072 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \x3Fddos\x3D(x\d{1,2}){5,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:"?ddos="; |---------------------| Building Rule: 2010381 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010382 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006999 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 72 6f 6e 74 6f 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2008765 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4a 6f 73 65 72 61 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007843 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- phid=[A-F0-9]{64} uricontent:"phid=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2009349 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008248 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007808 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 6e 65 74 69 6e 73 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007810 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6f 6b 63 70 6d 67 72 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"os="; http_client_body; nocase; content:"&ver="; http_client_body; nocase; content:"&idx="; http_client_body; nocase; content:"&user="; http_client_body; nocase; content:"&ioctl="; http_client_body; nocase; content:"&data="; http_client_body; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:trojan-activity; sid:2010217; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2011272 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010973 -------- Hex Payload Start ---------- 3a 2e 64 6c 20 68 74 74 70 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008623 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008624 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008153 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; http_client_body; content:"&affid="; http_client_body; content:"="; http_client_body; content:"&subid="; http_client_body; content:"=="; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:trojan-activity; sid:2008442; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2008310 -------- Hex Payload Start ---------- 0d 0a 53 75 62 6a 65 63 74 3a 20 43 6f 64 65 73 6f 66 74 20 50 57 20 53 74 65 61 6c 65 72 2a 2a 2a 2a 2a 2a 53 54 45 41 4d 20 50 41 53 53 20 53 54 45 41 4c 45 52 2a 2a 2a 2a 2a 2a 2a --------- Hex Payload End ----------- \/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/search?q=0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; uricontent:"/search?q=0"; pcre:"/\x0d\x0aHost\x3a \d+\.\d+\.\d+\.\d+\x0d\x0a/"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; classtype:trojan-activity; sid:2009024; rev:13;) Parser failed - skipping rule !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET TROJAN Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; classtype:trojan-activity; sid:2009201; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2008737 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008738 -------- Hex Payload Start ---------- 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 7a 68 2d 63 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008739 -------- Hex Payload Start ---------- 49 66 2d 4e 6f 6e 65 2d 4d 61 74 63 68 3a 20 22 36 30 37 39 34 2d 31 32 62 33 2d 65 34 31 36 39 34 34 30 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008399 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6c 6b 5f 6a 64 66 68 69 64 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d 0a|Host|3a20|"; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; classtype:trojan-activity; sid:2008434; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&s="; http_client_body; content:"&h="; http_client_body; content:"&d="; http_client_body; content:"&panic"; http_client_body; content:"&ie="; http_client_body; content:"&input="; http_client_body; content:"&c="; http_client_body; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:9;) Parser failed - skipping rule type limit, track by_src, seconds 3600, count 1 |---------------------| Building Rule: 2008352 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:trojan-activity; sid:2008353; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&panic="; fast_pattern; http_client_body; content:"&input="; http_client_body; reference:url,doc.emergingthreats.net/2009287; classtype:trojan-activity; sid:2009287; rev:7;) Parser failed - skipping rule mode=\d+D[0-9A-F]{150} uricontent:"mode=0D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2008144 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011234 -------- Hex Payload Start ---------- 5d 20 44 75 6d 70 69 6e 67 20 70 72 6f 63 65 73 73 65 73 20 7b 0d 0a --------- Hex Payload End ----------- &rvz1=\d+&rvz2=\d+?$ uricontent:"&rvz1=0&rvz2=0"; |---------------------| Building Rule: 2008567 -------- Hex Payload Start ---------- 20 20 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| BIE|0d 0a|"; http_header; content:"cname="; http_client_body; reference:url,doc.emergingthreats.net/2009204; classtype:trojan-activity; sid:2009204; rev:7;) Parser failed - skipping rule \/stat\d+\.php uricontent:"/stat0.php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DMSpammer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/stat"; http_uri; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header; fast_pattern:37,10; content:"x|9c|"; http_client_body; uricontent:"/stat0.php"; reference:url,doc.emergingthreats.net/2008271; classtype:trojan-activity; sid:2008271; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2008807 -------- Hex Payload Start ---------- 00 00 00 00 c0 a8 01 1e 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008808 -------- Hex Payload Start ---------- 55 d8 09 00 c0 a8 01 1e 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008940 -------- Hex Payload Start ---------- 50 4f 53 54 20 2f 63 67 69 2d 62 69 6e 2f 67 65 6e 65 72 61 74 6f 72 20 48 54 54 50 2f 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 0d 0a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008086 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- \/x\/\?0\w{35}$ uricontent:"/x/?0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2010164 -------- Hex Payload Start ---------- 20 0d 0a 53 53 3a 20 0d 0a 58 6f 73 74 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002976 -------- Hex Payload Start ---------- 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 39 20 4d 61 71 75 69 6e 61 2e 2e 20 56 65 72 73 e3 6f 20 64 6f 20 57 69 6e 64 6f 77 73 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4d 61 63 20 41 64 64 72 65 73 73 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002978 -------- Hex Payload Start ---------- 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 39 20 4e 6f 6d 65 20 43 6f 6d 70 75 74 61 64 6f 72 3a 20 20 44 61 74 61 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002980 -------- Hex Payload Start ---------- 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 39 20 53 75 62 6a 65 63 74 3a 20 49 4e 46 45 43 54 20 2d 20 20 44 61 74 61 3a 20 20 57 69 6e 64 6f 77 73 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002981 -------- Hex Payload Start ---------- 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 39 20 4d 61 71 75 69 6e 61 20 49 50 20 48 6f 72 61 20 44 61 74 61 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003931 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 61 72 6c 6f 6b 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2003933 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2004442 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 68 68 68 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007594 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 7a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009988 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 7a 41 70 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007699 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 49 4e 44 4f 57 53 5f 4c 4f 41 44 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007838 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007858 -------- Hex Payload Start ---------- 53 54 4f 52 20 20 20 20 20 20 20 4b 65 79 6c 6f 67 67 65 72 20 5b 20 20 20 20 20 5d 2e 74 78 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007939 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Delf Checkin via HTTP (5)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"email="; http_client_body; nocase; content:"&computador="; distance:0; http_client_body; nocase; content:"&nomfile="; distance:0; http_client_body; nocase; content:"&user="; distance:0; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008044; classtype:trojan-activity; sid:2008044; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2008071 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008090 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008906 -------- Hex Payload Start ---------- 7c 43 72 65 61 74 65 46 6f 72 6d 7c 46 69 6c 65 54 72 61 6e 73 66 65 72 7c 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008907 -------- Hex Payload Start ---------- 7c 43 72 65 61 74 65 46 6f 72 6d 7c 46 69 6c 65 4d 61 6e 61 67 65 72 7c 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^\d+?\x7cOnConnect\x7c content:"0|OnConnect|"; Parser failed - skipping rule |---------------------| Building Rule: 2009824 -------- Hex Payload Start ---------- 74 69 70 3d 20 26 63 6c 69 3d 20 26 74 69 70 6f 3d --------- Hex Payload End ----------- v=\d+&rnd=\d uricontent:"v=0&rnd=0"; |---------------------| Building Rule: 2007822 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003083 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003650 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006364 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 64 65 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007743 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007913 -------- Hex Payload Start ---------- 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008345 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008430 -------- Hex Payload Start ---------- 20 26 63 6c 3d 20 26 69 64 3d 20 26 6f 76 3d 20 26 73 69 74 65 3d 20 26 74 6b 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008441 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008490 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010458 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010932 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003598 -------- Hex Payload Start ---------- 55 73 65 72 2d 61 67 65 6e 74 3a 20 63 76 5f 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008945 -------- Hex Payload Start ---------- 47 45 54 20 2f 64 6c 69 6e 6b 2f 68 77 69 7a 2e 68 74 6d 6c 20 48 54 54 50 2f 31 2e 30 0d 0a 0d 0a 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008451 -------- Hex Payload Start ---------- 48 41 53 48 3a 20 0d 0a 49 44 3a 20 0d 0a 53 65 73 73 69 6f 6e 31 20 20 0d 0a 52 42 4c 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008364 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008031 -------- Hex Payload Start ---------- 31 53 43 44 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008032 -------- Hex Payload Start ---------- 31 53 43 44 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- \?ca[sc]hingDeny=[0-9A-Za-z]{16}& uricontent:"?cashingDeny=0000000000000000&"; |---------------------| Building Rule: 2010334 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003590 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 53 49 44 20 5b --------- Hex Payload End ----------- |---------------------| Building Rule: 2007595 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 26 4f 53 49 6e 66 6f 32 3d 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2003641 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 65 74 53 63 61 66 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003646 -------- Hex Payload Start ---------- 20 20 4d 69 63 72 6f 73 6f 66 74 20 55 52 4c 20 43 6f 6e 74 72 6f 6c 20 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003647 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 52 43 2d 55 20 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003648 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6c 69 6e 6b 72 75 6e 6e 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006366 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006377 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2006387 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 64 6f 77 73 20 55 70 64 61 74 65 73 20 4d 61 6e 61 67 65 72 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2006394 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6c 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2006400 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006401 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F] uricontent:"/ping/0000000000000000000000000000000000000000000000000000000000000000/0/0"; |---------------------| Building Rule: 2007284 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007577 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007587 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007633 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 73 6d 61 7a 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007778 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 4e 65 74 46 69 6c 65 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push)"; flow:established,to_server; content:"POST"; http_method; nocase; content:"bot_id="; http_client_body; content:"&build_id="; http_client_body; content:"&sport="; http_client_body; content:"&hport="; http_client_body; content:"&ping="; http_client_body; content:"&speed="; http_client_body; reference:url,doc.emergingthreats.net/2007831; classtype:trojan-activity; sid:2007831; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related"; flow:established,to_server; content:"POST"; nocase; http_method; content:"?id="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"proc=[System Process]|0d 0a|"; http_client_body; content:"|0d 0a|&size="; http_client_body; reference:url,doc.emergingthreats.net/2007836; classtype:trojan-activity; sid:2007836; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2007837 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 49 6e 65 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007840 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 68 65 6c 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007912 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 68 72 62 67 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007923 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 69 67 69 74 61 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007924 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 64 6f 77 6e 6c 6f 61 64 65 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007925 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 6e 61 6d 65 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007952 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007953 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007954 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007955 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008019 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 68 74 74 70 73 0d 0a --------- Hex Payload End ----------- \/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20 uricontent:"/down0/down/?s=A&t=0/0/20"; |---------------------| Building Rule: 2008087 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2} uricontent:"MAC=0a-aa-aa-aa-aa-aa"; |---------------------| Building Rule: 2008132 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2} uricontent:"MAC=0a-aa-aa-aa-aa-aa"; |---------------------| Building Rule: 2008133 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008134 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008182 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008183 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008194 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- \/rpt\d uricontent:"/rpt0"; |---------------------| Building Rule: 2008233 -------- Hex Payload Start ---------- 47 45 54 20 20 2e --------- Hex Payload End ----------- \/s_\d\d_\d+\? uricontent:"/s_00_0?"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; content:"m="; http_uri; content:"&a="; http_uri; content:"&r="; http_uri;content:"&os="; http_uri; content:"00000"; http_uri; uricontent:"/s_00_0?"; pcre:"/&os=[0-9a-z]{40}/Ui"; reference:url,doc.emergingthreats.net/2008412; classtype:trojan-activity; sid:2008412; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2008458 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 44 4c 2f 31 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008492 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2009299 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009451 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009526 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009527 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009549 -------- Hex Payload Start ---------- 50 4f 53 54 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009541 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 61 63 3d 20 26 68 64 69 64 3d 20 26 77 6c 69 64 3d 20 26 73 74 61 72 74 3d 20 26 6f 73 3d 20 26 6d 65 6d 3d 20 26 61 6c 69 76 65 20 26 76 65 72 3d 20 26 6d 6f 64 65 3d 20 26 67 75 69 64 20 26 69 6e 73 74 61 6c 6c 3d 20 26 61 75 74 6f 3d 20 26 73 65 72 76 65 69 64 20 26 61 72 65 61 3d --------- Hex Payload End ----------- \?mac=[0-9]*?&os=[a-z]*?&ver=[0-9]{8}&id= uricontent:"?mac=&os=&ver=00000000&id="; |---------------------| Building Rule: 2009704 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011269 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 53 44 4e 20 53 75 72 66 42 65 61 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009804 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 49 6e 65 74 48 54 54 50 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007770 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 65 61 72 20 41 70 70 6c 69 63 61 74 69 6f 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007644 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007917 -------- Hex Payload Start ---------- 30 30 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007918 -------- Hex Payload Start ---------- 00 00 00 83 20 3c 43 50 55 3e 3c 2f 43 50 55 3e 3c 20 3c 4d 45 4d 3e 3c 2f 4d 45 4d 3e 3c --------- Hex Payload End ----------- |---------------------| Building Rule: 2007919 -------- Hex Payload Start ---------- 59 55 4d 41 54 4f 0d 0a 31 32 33 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007987 -------- Hex Payload Start ---------- 70 6f 73 74 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0d 0a 52 65 73 6f 75 72 63 65 20 4e 61 6d 65 20 0d 0a 55 73 65 72 20 4e 61 6d 65 2f 56 61 6c 75 65 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 53 54 45 41 4d 20 50 41 53 53 57 4f 52 44 53 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 4e 75 6d 62 65 72 20 6f 66 20 70 72 6f 63 65 73 6f 72 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008195 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 64 6f 64 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008196 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 36 64 7a 6f 6e 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010888 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002763 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003537 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008674 -------- Hex Payload Start ---------- 0d 0a 53 75 62 6a 65 63 74 3a 20 59 6f 75 20 68 61 76 65 20 72 65 63 65 69 76 65 64 20 61 6e 20 65 43 61 72 64 20 65 2d 63 61 72 64 2e 7a 69 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008039 -------- Hex Payload Start ---------- 46 52 4f 4d 5c 3a 20 45 67 79 53 70 79 20 56 69 63 74 69 6d 54 4f 3a 20 45 67 79 53 70 79 20 55 73 65 72 53 55 42 4a 45 43 54 3a 20 45 20 67 20 79 20 53 20 70 20 79 20 4b 65 79 4c 6f 67 67 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008047 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008136 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007758 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 6e 65 74 63 66 67 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007833 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 53 49 45 20 35 2e 35 0d 0a --------- Hex Payload End ----------- \?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$ uricontent:"?spl=0&br=A&vers=0.0&s=a#"; |---------------------| Building Rule: 2010248 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \?spl=MS[0-9]{2}-[0-9]{3}$ uricontent:"?spl=MS00-000"; |---------------------| Building Rule: 2011128 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002938 -------- Hex Payload Start ---------- 4d 41 49 4c 20 46 52 4f 4d 3a 3c 6c 6f 67 73 40 6c 6f 67 73 2e 63 6f 6d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002941 -------- Hex Payload Start ---------- 4d 41 49 4c 20 46 52 4f 4d 3a 3c 6c 6f 67 73 40 6c 6f 67 73 2e 63 6f 6d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007986 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008243 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 53 68 6f 70 65 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007700 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009209 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009514 -------- Hex Payload Start ---------- 50 4f 53 54 20 6d 69 64 3d 20 26 77 76 3d 20 26 72 3d 20 26 74 70 3d 20 26 65 78 65 3d 20 26 6c 73 3d 20 26 75 69 64 3d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FAKE/ROGUE AV Encoded data= HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"data=/CjEfcLas0KCj/"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009553; classtype:trojan-activity; sid:2009553; rev:7;) Parser failed - skipping rule \?url=[0-9]&affid=[0-9]{5} uricontent:"?url=0&affid=00000"; |---------------------| Building Rule: 2009554 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 58 50 29 0d 0a --------- Hex Payload End ----------- \.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$ uricontent:".php?land=0&land=0"; |---------------------| Building Rule: 2010347 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2010597 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 0d 0a 48 6f 73 74 3a 20 --------- Hex Payload End ----------- [a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$ uricontent:"a.php?aid=0&sid=a"; |---------------------| Building Rule: 2010625 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 20 --------- Hex Payload End ----------- loads\.php\?code=\d+$ uricontent:"loads.php?code=0"; |---------------------| Building Rule: 2010626 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 --------- Hex Payload End ----------- download\.pl\?code=\d+$ uricontent:"download.pl?code=0"; |---------------------| Building Rule: 2010627 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 --------- Hex Payload End ----------- get\.pl\?l=\d+$ uricontent:"get.pl?l=0"; |---------------------| Building Rule: 2010628 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported [1-3]\x2Finstaller\x2FInstaller\x2Eexe uricontent:"1/installer/Installer.exe"; |---------------------| Building Rule: 2010221 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2} uricontent:"x=aa-aa-aa-aa-aa-aa"; |---------------------| Building Rule: 2009215 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009472 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011086 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- \.php\?(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+$ uricontent:".php?id=0&id=0&id=0"; |---------------------| Building Rule: 2011693 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008322 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 54 41 4c 57 69 6e 49 6e 65 74 48 54 54 50 43 6c 69 65 6e 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FAKE AV HTTP CnC Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; nocase; http_client_body; content:"uid="; nocase; http_client_body; content:"cnt="; nocase; http_client_body; content:"lng="; nocase; http_client_body; content:"type="; nocase; http_client_body; content:"user_id="; nocase; http_client_body; content:"pc_id="; nocase; http_client_body; content:"abbr="; nocase; http_client_body; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)"; http_header; reference:url,doc.emergingthreats.net/2009455; classtype:trojan-activity; sid:2009455; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Fraudload/FakeAlert/FakeVimes Downloader - POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"; fast_pattern:40,20; nocase; http_header; content:"verint="; nocase; http_client_body; content:"&wv="; nocase; http_client_body; content:"&report="; nocase; http_client_body; content:"&abbr="; nocase; http_client_body; content:"&pid="; http_client_body; reference:url,www.pctools.com/mrc/infections/id/Trojan-Downloader.FraudLoad/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-Downloader.FraudLoad; reference:url,doc.emergingthreats.net/2009751; classtype:trojan-activity; sid:2009751; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2011072 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 55 3b 20 4c 69 6e 75 78 20 69 36 38 36 3b 20 65 6e 2d 55 53 3b 20 72 76 3a 31 2e 39 2e 30 2e 34 29 20 55 62 75 6e 74 75 2f 38 2e 30 34 20 28 68 61 72 64 79 29 20 46 69 72 65 66 6f 78 2f 33 2e 30 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008397 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008398 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009519 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007866 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:trojan-activity; sid:2008431; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara="; http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:6;) Parser failed - skipping rule p4=\d+&p5=\d+&hs=\d uricontent:"p4=0&p5=0&hs=0"; |---------------------| Building Rule: 2009531 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- \.php\?cmd=getFile&counter=\d uricontent:".php?cmd=getFile&counter=0"; |---------------------| Building Rule: 2010007 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F uricontent:"/Layouts/Landings/CentralLandings/0/images/"; |---------------------| Building Rule: 2010450 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002982 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 49 4e 46 45 43 54 41 44 4f --------- Hex Payload End ----------- |---------------------| Building Rule: 2002983 -------- Hex Payload Start ---------- 50 43 20 49 4e 46 45 43 54 41 44 4f 20 43 4f 4d 20 53 55 43 43 45 53 53 4f --------- Hex Payload End ----------- |---------------------| Building Rule: 2007826 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 50 49 2d 47 75 69 64 65 20 74 65 73 74 20 70 72 6f 67 72 61 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008237 -------- Hex Payload Start ---------- 49 4e 46 45 43 54 41 44 4f 0d 0a 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 2d 3d 0d 0a 43 6f 6d 70 75 74 61 64 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008523 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008550 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008975 -------- Hex Payload Start ---------- 41 63 63 65 70 74 3a 20 41 63 63 65 70 74 3a 20 20 4d 20 2e 20 2e --------- Hex Payload End ----------- mac=[a-f0-9] uricontent:"mac=a"; |---------------------| Building Rule: 2009442 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009470 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 20 6e 61 6d 65 3d 5c 22 69 64 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 75 70 74 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 6d 6f 64 65 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 76 65 72 73 69 6f 6e 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 63 70 75 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 72 61 6d 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 6f 73 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 75 73 65 72 5c 22 0d 0a 20 6e 61 6d 65 3d 5c 22 75 73 65 72 5c 22 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009539 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 67 65 74 20 33 2e 30 0d 0a 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010138 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011179 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011277 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2008521 -------- Hex Payload Start ---------- 74 65 78 74 6f 3d 25 30 44 25 30 41 25 30 44 25 30 41 43 6f 6d 70 75 74 65 72 25 30 44 25 30 41 49 50 25 32 45 25 32 45 25 32 45 25 32 45 25 32 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008189 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008261 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003431 -------- Hex Payload Start ---------- 20 26 63 6f 6e 66 69 67 3d 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2003645 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 65 73 63 75 65 2f 39 2e 31 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010282 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 20 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 69 6d 61 67 65 2f 67 69 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010439 -------- Hex Payload Start ---------- 47 45 54 20 48 54 54 50 2f 31 2e 30 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 42 54 61 67 45 64 69 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011236 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008689 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008726 Protocol Not Supported |---------------------| Building Rule: 2008727 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46; reference:url,doc.emergingthreats.net/2010163; classtype:trojan-activity; sid:2010163; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2002775 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 64 6f 77 73 20 55 70 64 61 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002780 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 7a 0d 0a --------- Hex Payload End ----------- codec=\d+D\d+D\d uricontent:"codec=0D0D0"; |---------------------| Building Rule: 2007965 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009410 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001901 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001743 -------- Hex Payload Start ---------- 01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003244 -------- Hex Payload Start ---------- d0 84 ec 77 cf ec 60 e9 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003245 -------- Hex Payload Start ---------- d0 84 ec 77 cf ec 60 e9 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002790 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002929 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- \/[a-z0-9]+\.[a-z0-9]{2,4}\/oH[a-z0-9]{60,}$ uricontent:"/a.aa/oHaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2011104 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 --------- Hex Payload End ----------- address\=([0-9A-F][0-9A-F]-){5}([0-9A-F][0-9A-F]) NOT IMPL not _simple(av) in REPEATING CODES uricontent:"address=00"; |---------------------| Building Rule: 2008317 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- \x0D\x0A\x0D\x0ASLP\x3A\d+\x3BMOD\x3A[\S\x3B]+\x3BURL\x3Ahttp\x3A\x2F{2}[^\x3B]+\x3BSRV\x3Aupd\x3B content:" SLP:0;MOD:A;URL:http://#;SRV:upd;"; |---------------------| Building Rule: Protocol Not Supported \x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s] uricontent:"?mod=&id=#_A&up=#&mid=#"; |---------------------| Building Rule: 2008473 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003649 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 79 6b 4f --------- Hex Payload End ----------- |---------------------| Building Rule: 2003932 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 45 5f 37 2e 30 --------- Hex Payload End ----------- mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2} uricontent:"mac=aa-aa-aa-aa-aa-aa"; |---------------------| Building Rule: 2007592 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2007689 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 3f 3f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008156 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 49 50 32 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008515 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 0d 0a 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009811 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 62 61 69 64 75 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002023 -------- Hex Payload Start ---------- 55 53 45 52 20 20 20 3a 20 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002024 -------- Hex Payload Start ---------- 4e 49 43 4b 20 20 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002025 -------- Hex Payload Start ---------- 4a 4f 49 4e 20 23 20 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003302 -------- Hex Payload Start ---------- 70 73 79 42 4e 43 40 6c 61 6d 33 72 7a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002026 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002027 -------- Hex Payload Start ---------- 50 49 4e 47 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002028 -------- Hex Payload Start ---------- 50 4f 4e 47 20 --------- Hex Payload End ----------- (ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn)) content:"ntscan 0 0"; |---------------------| Building Rule: 2002029 -------- Hex Payload Start ---------- 3a 20 20 33 33 32 20 20 20 23 20 20 3a 20 6e 74 73 63 61 6e 20 30 20 30 --------- Hex Payload End ----------- (ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn)) content:"ntscan 0 0"; |---------------------| Building Rule: 2002030 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 3a 20 6e 74 73 63 61 6e 20 30 20 30 --------- Hex Payload End ----------- \.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f content:".upda ftp://"; |---------------------| Building Rule: 2011162 -------- Hex Payload Start ---------- 66 74 70 3a 2f 2f 20 2e 75 70 64 61 20 66 74 70 3a 2f 2f --------- Hex Payload End ----------- floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3} NOT IMPL not _simple(av) in REPEATING CODES content:"floodnet 0"; |---------------------| Building Rule: 2002032 -------- Hex Payload Start ---------- 66 6c 6f 6f 64 6e 65 74 20 20 66 6c 6f 6f 64 6e 65 74 20 30 --------- Hex Payload End ----------- ((\.aim\w*|ascanall|\x3agetshit200)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s) content:".aim A"; |---------------------| Building Rule: 2002384 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 3a 20 2e 61 69 6d 20 41 --------- Hex Payload End ----------- (\.aim\w*|ascanall)\s+\w content:".aim A"; |---------------------| Building Rule: 2002386 -------- Hex Payload Start ---------- 3a 20 20 33 33 32 20 20 20 23 20 20 3a 20 2e 61 69 6d 20 41 --------- Hex Payload End ----------- ddos\.(phat(icmp|syn|wonk)|stop|(syn|udp|http)flood|targa3|(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3}) content:"ddos.phaticmp"; |---------------------| Building Rule: 2003132 -------- Hex Payload Start ---------- 64 64 6f 73 20 64 64 6f 73 2e 70 68 61 74 69 63 6d 70 --------- Hex Payload End ----------- \.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r]) content:".testdlls "; |---------------------| Building Rule: 2002363 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 3a 20 2e 74 65 73 74 64 6c 6c 73 0d --------- Hex Payload End ----------- \x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02 content:":##4[BackConnect]##"; |---------------------| Building Rule: 2006911 -------- Hex Payload Start ---------- 3a 02 03 34 5b 20 03 02 20 3a 02 03 34 5b 42 61 63 6b 43 6f 6e 6e 65 63 74 5d 03 02 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008123 -------- Hex Payload Start ---------- 55 53 45 52 20 58 50 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008124 -------- Hex Payload Start ---------- 4e 49 43 4b 20 20 55 53 41 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Illusion Bot (Lussilon) Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"?act=online&"; nocase; http_uri; content:"s4="; nocase; http_uri; content:"&s5="; nocase; http_uri; content:"&nickname="; http_uri; content:"msg_out="; http_client_body; depth:8; nocase; reference:url,doc.emergingthreats.net/2007829; classtype:trojan-activity; sid:2007829; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2001066 -------- Hex Payload Start ---------- 23 40 7e 5e 2f 67 41 41 41 41 3d 3d 40 23 40 26 40 23 40 26 37 6c 4d 50 3a 48 56 4b 5e 50 7b 50 5b 57 31 45 68 6e 20 23 40 7e 5e 47 41 49 41 41 41 3d 3d 40 23 40 26 5c 5c 43 4d 50 73 58 2f 44 44 2c 78 50 76 45 55 2b 6b 6d 43 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009077 -------- Hex Payload Start ---------- 46 32 32 32 32 32 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007611 -------- Hex Payload Start ---------- 0d 0a 58 2d 50 72 69 6f 72 69 74 79 3a 20 31 0d 0a 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 20 0d 0a 0d 0a 2e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007612 -------- Hex Payload Start ---------- 0d 0a 58 2d 50 72 69 6f 72 69 74 79 3a 20 33 0d 0a 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 20 0d 0a 0d 0a 2e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007613 -------- Hex Payload Start ---------- 0d 0a 58 2d 50 72 69 6f 72 69 74 79 3a 20 31 0d 0a 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 20 0d 0a 4d 41 43 2e 2e 2e 2e 2e 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007614 -------- Hex Payload Start ---------- 0d 0a 58 2d 50 72 69 6f 72 69 74 79 3a 20 33 0d 0a 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 20 0d 0a 4d 41 43 2e 2e 2e 2e 2e 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007950 -------- Hex Payload Start ---------- 0d 0a 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 4e 6f 6d 65 20 64 6f 20 43 6f 6d 70 75 74 61 64 6f 72 2e 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Insidebar.co.kr Related Infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"e=inside&s="; http_client_body; content:"&ver="; http_client_body; content:"&p="; http_client_body; reference:url,doc.emergingthreats.net/2008760; classtype:trojan-activity; sid:2008760; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2008767 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6c 73 6f 73 73 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008642 -------- Hex Payload Start ---------- 74 6f 3d 20 26 66 72 6f 6d 3d 20 26 73 75 62 6a 65 63 74 3d 20 26 6d 65 73 73 61 67 65 3d 20 44 69 73 63 72 69 62 74 69 6f 6e 20 4b 45 59 4c 4f 47 47 2b 50 52 4f 2b 47 4f 4c 44 2b 56 45 52 53 49 4f 4e 20 49 50 48 6f 73 74 4e 61 6d 65 20 49 50 41 64 64 72 65 73 73 20 59 61 68 6f 6f 4d 65 73 73 65 6e 67 65 72 2b 50 61 73 73 77 6f 72 64 73 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008449 -------- Hex Payload Start ---------- 53 65 63 72 65 74 20 43 6c 69 65 6e 74 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008339 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6b 65 79 70 61 63 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2008338 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 20 4e 69 63 6b 2b 4b 65 79 2b 41 74 69 76 61 64 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2003538 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008249 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010787 -------- Hex Payload Start ---------- 0d 0a 0d 0a 63 6f 6d 6d 61 6e 64 7c 66 69 6c 65 7c 68 74 74 70 20 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2010788 -------- Hex Payload Start ---------- 0d 0a 0d 0a 63 6f 6d 6d 61 6e 64 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2010230 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Koobface Trojan HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"f=0&a="; http_client_body; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l=&ck="; http_client_body; content:"&c_fb="; http_client_body; reference:url,doc.emergingthreats.net/2008864; classtype:trojan-activity; sid:2008864; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2009407 -------- Hex Payload Start ---------- 23 42 4c 41 43 4b 4c 41 42 45 4c 0d 0a 45 58 49 54 --------- Hex Payload End ----------- \?action=\w+gen&v=\d uricontent:"?action=Agen&v=0"; |---------------------| Building Rule: 2010150 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010151 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010152 -------- Hex Payload Start ---------- 0d 0a 0d 0a 41 43 48 5f 4f 4b --------- Hex Payload End ----------- |---------------------| Building Rule: 2010153 -------- Hex Payload Start ---------- 20 66 3d 30 26 61 3d 20 26 76 3d 20 26 63 3d 20 26 73 3d 20 26 6c 3d 20 26 63 6b 3d 20 26 63 5f 66 62 3d 20 26 63 5f 6d 73 3d 20 26 63 5f 68 69 3d 20 26 63 5f 62 65 3d 20 26 63 5f 66 72 3d 20 26 63 5f 79 62 3d 20 26 63 5f 74 67 3d 20 26 63 5f 6e 6c 3d 20 26 63 5f 66 75 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2010700 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- MyValue=[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\: uricontent:"MyValue=aa:aa:aa:aa:"; |---------------------| Building Rule: 2009003 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007779 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6b 70 61 6e 67 75 70 64 61 74 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007849 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 61 6c 65 72 74 75 70 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; fast_pattern; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2003187 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003188 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \/cp\/rule\.php\?gcu=\d uricontent:"/cp/rule.php?gcu=0"; |---------------------| Building Rule: 2003189 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003190 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 64 61 74 61 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003296 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 30 2e 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 20 3a 38 30 3b 32 35 35 2e 32 35 35 2e 32 35 35 2e 32 35 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009078 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- ^\x23\d\d\d\x2f\x21 content:"#000/!"; |---------------------| Building Rule: 2008220 Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/tba/"; nocase; http_uri; content:"guid="; http_client_body; content:"&version="; http_client_body; content:"&clientid="; http_client_body; content:"&time="; http_client_body; content:"&idle="; http_client_body; content:"&ticksBoot="; http_client_body; reference:url,doc.emergingthreats.net/2007774; classtype:trojan-activity; sid:2007774; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2008333 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008347 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- fxp=[a-z0-9]{60} uricontent:"fxp=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2008379 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008943 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009810 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 6e 61 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 3b 20 2e 4e 45 54 20 43 4c 52 20 33 2e 30 2e 34 35 30 36 2e 32 31 35 32 3b 20 2e 4e 45 54 20 43 4c 52 20 33 2e 35 2e 33 30 37 32 39 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008340 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009805 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 53 50 47 4b 29 0d 0a --------- Hex Payload End ----------- \/NewsFolder\/News00\d\d\.ASP\?id= uricontent:"/NewsFolder/News0000.ASP?id="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; uricontent:"/NewsFolder/News0000.ASP?id="; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:trojan-activity; sid:2008130; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2008839 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008840 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Accept-Language\: [a-zA-Z0-9]{20} content:"Accept-Language: aaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2007650 -------- Hex Payload Start ---------- 47 45 54 20 20 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 20 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008955 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4d 61 63 69 6e 74 6f 73 68 3b 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6f 2c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008758 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \x06\x00?$ content:"#"; |---------------------| Building Rule: 2007949 -------- Hex Payload Start ---------- 65 62 65 78 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.asp"; http_uri; content:"ver="; http_client_body; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http_client_body; reference:url,doc.emergingthreats.net/2008891; classtype:trojan-activity; sid:2008891; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2007811 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/(ucleaner|udefender|ufixer)\.com\/demo\.php\? uricontent:"/ucleaner.com/demo.php?"; |---------------------| Building Rule: 2007566 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009126 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009752 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009813 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 20 0d 0a 72 3d 20 26 66 3d 20 26 70 3d 20 26 75 3d 20 26 69 3d 20 26 67 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2010158 -------- Hex Payload Start ---------- 48 45 41 44 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009694 -------- Hex Payload Start ---------- 0d 0a 53 65 72 76 65 72 3a 20 6c 69 67 68 74 74 70 64 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 43 46 47 3e 5f 53 59 53 54 45 4d 5f 44 49 52 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008592 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007825 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6e 65 6f 6e 61 62 79 75 70 64 61 74 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009125 -------- Hex Payload Start ---------- 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 65 6e 0d 0a 20 3b 57 69 6e 64 6f 77 73 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008481 -------- Hex Payload Start ---------- 00 c0 a8 01 f4 6f 00 00 00 20 00 00 00 05 01 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011186 Error here within! -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 79 61 2e 72 75 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011188 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 51 58 33 31 35 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009443 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 6f 42 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008405 -------- Hex Payload Start ---------- 20 2f 67 61 74 65 2e 70 68 70 3f 68 61 73 68 3d 20 20 20 20 20 20 20 20 20 48 54 54 50 2f 31 2e --------- Hex Payload End ----------- \.php\?id=[0-9a-f]{8}$ uricontent:".php?id=00000000"; |---------------------| Building Rule: 2010244 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 65 0d 0a --------- Hex Payload End ----------- \x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D uricontent:".php?id=&v=&tm=&b="; |---------------------| Building Rule: 2009776 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010743 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 2e 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010723 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5b 69 6e 66 6f 5d 72 75 6e 75 72 6c 3a 20 7c 74 61 73 6b 69 64 3a 20 7c 64 65 6c 61 79 3a 20 7c 75 70 64 3a 5b 2f 69 6e 66 6f 5d --------- Hex Payload End ----------- |---------------------| Building Rule: 2010724 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5b 69 6e 66 6f 5d 6b 69 6c 6c 3a 20 7c 64 65 6c 61 79 3a 20 7c 75 70 64 3a 5b 2f 69 6e 66 6f 5d --------- Hex Payload End ----------- |---------------------| Building Rule: 2010744 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5b 69 6e 66 6f 5d 64 65 6c 61 79 3a 20 7c 75 70 64 3a 5b 2f 69 6e 66 6f 5d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008973 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010224 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008212 -------- Hex Payload Start ---------- 4f 70 74 69 78 20 50 72 6f 20 76 49 6e 73 74 61 6c 6c 65 64 20 54 72 6f 6a 61 6e 20 50 6f 72 74 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via HTTP-Email Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"to="; http_client_body; content:"Optix Pro v"; http_client_body; content:" Server Online"; http_client_body; reference:url,en.wikipedia.org/wiki/Optix_Pro; reference:url,doc.emergingthreats.net/2008218; classtype:trojan-activity; sid:2008218; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2008159 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 69 6e 67 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009130 Protocol Not Supported |---------------------| Building Rule: 2009131 Protocol Not Supported updatea\.php\?p=\d uricontent:"updatea.php?p=0"; |---------------------| Building Rule: 2003115 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- updateb\.php\?p=\d uricontent:"updateb.php?p=0"; |---------------------| Building Rule: 2003116 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003183 -------- Hex Payload Start ---------- 48 54 54 50 20 0d 0a 48 61 6c 6c 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007688 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 20 20 --------- Hex Payload End ----------- \.php\?1=[a-z0-9]+_[a-z0-9_]+&i= uricontent:".php?1=a_a&i="; |---------------------| Building Rule: 2007724 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 --------- Hex Payload End ----------- \/cfg\.bin$ uricontent:"/cfg.bin"; |---------------------| Building Rule: 2008100 -------- Hex Payload Start ---------- 20 47 45 54 20 6e 6f 2d 63 61 63 68 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007862 -------- Hex Payload Start ---------- 61 3d 26 62 3d 50 61 73 73 65 73 20 66 72 6f 6d 26 63 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008034 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 50 61 73 73 65 73 20 66 72 6f 6d 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 3b 2e 62 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2008366 -------- Hex Payload Start ---------- 50 4f 53 54 20 2e 70 68 70 20 61 3d 20 26 62 3d 20 26 64 3d 20 26 63 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008411 -------- Hex Payload Start ---------- 58 2d 4d 61 69 6c 65 72 3a 20 54 68 65 20 42 61 74 21 20 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009242 -------- Hex Payload Start ---------- 58 2d 4d 61 69 6c 65 72 3a 20 42 6c 61 74 20 76 32 2e 36 2e 32 20 77 2f 47 53 53 20 65 6e 63 72 79 70 74 69 6f 6e 2c 20 61 20 57 69 6e 33 32 20 53 4d 54 50 2f 4e 4e 54 50 20 6d 61 69 6c 65 72 20 68 74 74 70 3a 2f 2f 77 77 77 2e 62 6c 61 74 2e 6e 65 74 0d 0a 0d 0a 53 75 62 6a 65 63 74 3a 20 43 6f 6e 74 65 6e 74 73 20 6f 66 20 66 69 6c 65 3a 20 57 49 4e 44 4f 57 53 2f 73 79 73 74 65 6d 33 32 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2001933 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 22 50 43 20 49 44 3a 20 53 75 62 6a 65 63 74 3a 20 49 4e 46 45 43 54 45 44 20 65 73 74 61 20 69 6e 66 65 63 74 61 64 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2003635 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 6f 6f 6b 49 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008506 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 69 64 3d 20 26 74 69 74 3d 20 26 63 6f 6d 6d 20 52 75 6e 2b 53 75 63 63 65 73 73 66 75 6c 6c 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008551 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 56 69 70 20 50 61 73 73 77 30 72 64 73 0d 0a 0d 0a 56 69 63 74 69 6d 20 4e 61 6d 65 20 3a 20 0d 0a 23 23 23 23 23 23 23 23 20 49 43 51 20 50 41 53 53 57 4f 52 44 53 20 23 23 23 23 23 23 23 23 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Generic PSW Agent server reply"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a|[Uptade]|0d 0a|Web="; content:"|0d 0a|[Guncellestirme]|0d 0a|Version="; within:100; reference:url,doc.emergingthreats.net/2008662; classtype:trojan-activity; sid:2008662; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2008841 -------- Hex Payload Start ---------- 49 45 37 20 50 61 73 73 77 6f 72 64 73 3a 20 46 46 20 50 61 73 73 77 6f 72 64 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009094 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007767 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 37 20 5b 65 6e 5d 20 28 57 69 6e 4e 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007768 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007771 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008152 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008277 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008358 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008433 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009108 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008920 -------- Hex Payload Start ---------- 00 00 00 10 c8 00 00 00 b0 ff --------- Hex Payload End ----------- |---------------------| Building Rule: 2009238 -------- Hex Payload Start ---------- 82 87 99 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009239 -------- Hex Payload Start ---------- 52 0d 12 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007973 -------- Hex Payload Start ---------- 43 6f 6e 67 72 61 74 75 6c 61 74 69 6f 6e 73 21 20 50 65 72 66 65 63 74 20 4b 65 6c 6f 67 67 65 72 20 77 61 73 20 73 75 63 63 65 73 73 66 75 6c 6c 79 20 69 6e 73 74 61 6c 6c 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008893 Protocol Not Supported |---------------------| Building Rule: 2007974 -------- Hex Payload Start ---------- 4c 6f 67 20 75 70 6c 6f 61 64 20 64 61 74 65 3a 20 20 0d 0a 54 69 6d 65 3a 20 54 6f 20 76 69 65 77 20 44 41 54 20 66 69 6c 65 73 2c 20 70 6c 65 61 73 65 20 64 6f 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 73 74 65 70 73 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008327 -------- Hex Payload Start ---------- 43 00 6f 00 6e 00 67 00 72 00 61 00 74 00 75 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 21 00 20 00 50 00 65 00 72 00 66 00 65 00 63 00 74 00 20 00 4b 00 65 00 6c 00 6f 00 67 00 67 00 65 00 72 00 20 00 77 00 61 00 73 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 66 00 75 00 6c 00 6c 00 79 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009405 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009406 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008017 Protocol Not Supported \/[a-z]{2}[0-9]{3}[a-z]{2}\/LoginFacebook\.php$ uricontent:"/aa000aa/LoginFacebook.php"; |---------------------| Building Rule: 2011121 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011184 -------- Hex Payload Start ---------- 43 72 65 61 74 65 6f 62 6a 65 63 74 28 53 74 72 52 65 76 65 72 73 65 28 22 74 63 65 6a 62 4f 6d 65 74 73 79 53 65 6c 69 46 2e 67 6e 69 74 70 69 72 63 53 22 29 29 --------- Hex Payload End ----------- \/cd\/cd\.php.id=[A-F0-9\-]+&ver= uricontent:"/cd/cd.php0id=A&ver="; |---------------------| Building Rule: 2008382 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/cd\/un2\.php.id=[A-F0-9\-]+&ver= uricontent:"/cd/un2.php0id=A&ver="; |---------------------| Building Rule: 2008383 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/cd\/un\.php.id=[A-F0-9\-]+&ver= uricontent:"/cd/un.php0id=A&ver="; |---------------------| Building Rule: 2008384 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008626 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006391 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 50 4d 5f 49 44 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008972 -------- Hex Payload Start ---------- 20 26 68 64 64 3d 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009806 -------- Hex Payload Start ---------- 6f 70 3d 20 26 73 65 72 76 69 64 6f 72 3d 20 26 73 65 6e 68 61 3d 20 26 75 73 75 61 72 69 6f 3d 20 26 62 61 73 65 3d 20 26 73 67 64 62 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2010344 -------- Hex Payload Start ---------- 2f 46 49 52 53 54 49 4e 46 2f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010345 -------- Hex Payload Start ---------- 2f 41 56 41 49 4c 41 42 4c 2f 0d 0a --------- Hex Payload End ----------- \.gif$ uricontent:".gif"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; uricontent:".gif"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:10;) Parser failed - skipping rule \.jpg$ uricontent:".jpg"; |---------------------| Building Rule: 2010067 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TROJ_PROX.AFV POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"=|22|sid|22|"; http_client_body; nocase; content:"=|22|up|22|"; http_client_body; nocase; content:"=|22|wbfl|22|"; http_client_body; nocase; content:"=|22|v|22|"; http_client_body; nocase; content:"=|22|ping|22|"; http_client_body; nocase; content:"=|22|guid|22|"; http_client_body; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; reference:url,doc.emergingthreats.net/2007728; classtype:trojan-activity; sid:2007728; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2006405 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006406 -------- Hex Payload Start ---------- 20 74 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008244 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- &os=[a-f0-9]{50} uricontent:"&os=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2008493 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Qhosts Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"UserID="; http_client_body; content:"&wv="; http_client_body; content:"&res="; http_client_body; content:"&lng="; http_client_body; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99; reference:url,doc.emergingthreats.net/2009517; classtype:trojan-activity; sid:2009517; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2008285 -------- Hex Payload Start ---------- 2e 70 61 63 6b 65 64 20 2e 52 4c 50 61 63 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2007807 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008376 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008733 -------- Hex Payload Start ---------- 52 45 54 52 20 6b 33 79 6c 6f 67 67 65 72 2e 74 78 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007834 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Runner/Bublik Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; fast_pattern; nocase; content:!"User-Agent|3a|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:trojan-activity; sid:2009711; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2010065 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009525 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 2f 38 2e 38 31 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 3b 20 55 3b 20 65 6e 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009530 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 2f 38 2e 38 39 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 3b 20 55 3b 20 65 6e 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003636 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4b 55 4b 55 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009474 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 2f 39 2e 32 38 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 3b 20 55 3b 20 65 6e 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2010756 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007751 -------- Hex Payload Start ---------- 47 45 54 20 2f 34 30 34 2e 74 78 74 20 48 54 54 50 2f 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption|3a| on|0d 0a|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:trojan-activity; sid:2007752; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2007753 -------- Hex Payload Start ---------- 2d 00 00 00 20 20 00 00 55 00 00 00 --------- Hex Payload End ----------- \/tasksz\.php\?(?:dc|load) uricontent:"/tasksz.php?"; |---------------------| Building Rule: 2010288 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 6f 6f 67 6c 65 20 42 6f 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2007992 -------- Hex Payload Start ---------- 0d 0a 53 75 62 6a 65 63 74 3a 20 43 6f 64 65 73 6f 66 74 20 50 57 20 53 74 65 61 6c 65 72 20 0d 0a 0d 0a 43 6f 64 65 73 6f 66 74 20 50 57 20 53 74 65 61 6c 65 72 20 46 69 6c 65 20 66 69 6c 65 6e 61 6d 65 3d 22 2e 6c 6f 67 22 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002776 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 69 63 6b 6c 65 42 6f 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010268 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 --------- Hex Payload End ----------- \.php\?i=\w+_[0-9A-F]{8}&k=\d+$ uricontent:".php?i=A_00000000&k=0"; |---------------------| Building Rule: 2010201 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008580 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- \?n=\d+&id=.+&t=.+&i=\d uricontent:"?n=0&id=0&t=0&i=0"; |---------------------| Building Rule: 2009300 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003515 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6e 61 74 63 68 2d 53 79 73 74 65 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008545 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008280 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008393 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008395 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008324 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \/manda\.php\?id=(-)?\d{9,10}&v=\w NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/manda.php?id=000000000&v=A"; |---------------------| Building Rule: 2010765 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006395 -------- Hex Payload Start ---------- 9a 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006396 -------- Hex Payload Start ---------- 9a 02 07 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006397 -------- Hex Payload Start ---------- 9a 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006398 -------- Hex Payload Start ---------- 9a 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006399 -------- Hex Payload Start ---------- 9a 02 05 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008236 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007898 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008644 -------- Hex Payload Start ---------- 6d 61 69 6e 69 6e 66 6f 7c 20 20 20 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2008911 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002175 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007780 -------- Hex Payload Start ---------- 0d 0a 53 75 62 6a 65 63 74 3a 20 53 53 50 50 59 59 20 6e 6f 74 69 66 69 63 61 74 69 6f 6e 0d 0a 58 3d 4d 61 69 6c 65 72 3a 20 4d 61 69 6c 0d 0a 20 20 20 20 20 54 68 65 20 63 6f 6d 70 75 74 65 72 20 79 6f 75 20 61 72 65 20 6d 6f 6e 69 74 6f 72 69 6e 67 20 68 61 73 20 63 6f 6e 6e 65 63 74 65 64 20 6f 6e 6c 69 6e 65 20 2d 20 54 68 65 20 6d 6f 64 75 6c 65 20 6e 61 6d 65 20 6f 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008360 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 29 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 60 |---------------------| Building Rule: 2007618 Protocol Not Supported |---------------------| Building Rule: 2007742 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 73 73 20 4e 54 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010441; classtype:trojan-activity; sid:2010441; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010442; classtype:trojan-activity; sid:2010442; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2003435 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008522 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010872 -------- Hex Payload Start ---------- 50 72 61 67 6d 61 3a 20 68 61 63 6b 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008732 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008944 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008341 -------- Hex Payload Start ---------- 2e 69 64 61 74 61 20 20 20 54 68 65 6d 64 61 20 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007832 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003238 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 62 35 61 20 28 57 69 6e 39 35 3b 20 49 29 20 64 61 74 61 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2003239 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002959 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002961 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002964 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008232 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008639 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tigger.a/Syzor Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/track.cgi"; http_uri; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&b="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; reference:url,doc.emergingthreats.net/2009347; classtype:trojan-activity; sid:2009347; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tigger.a/Syzor Control Checkin"; flow:established,to_server; content:"/track.cgi"; http_uri; content:"POST"; depth:4; http_method; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; content:"&z="; http_client_body; reference:url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix; reference:url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html; reference:url,doc.emergingthreats.net/2009096; classtype:trojan-activity; sid:2009096; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2002762 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003066 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- MyValue=[a-f0-9]{32} uricontent:"MyValue=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2010267 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010823 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 70 61 63 68 65 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008155 Error here depth! -------- Hex Payload Start ---------- 20 20 50 4f 53 54 20 0d 0a 53 50 4b 3a 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 29 20 57 69 6e 4e 54 20 35 2e 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008021 -------- Hex Payload Start ---------- 61 6d 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008022 -------- Hex Payload Start ---------- 4d 49 4e 46 4f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008023 -------- Hex Payload Start ---------- 4d 49 4e 46 4f 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008024 -------- Hex Payload Start ---------- 4c 4f 47 53 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008025 -------- Hex Payload Start ---------- 08 00 00 00 4c 4f 47 53 31 5b --------- Hex Payload End ----------- |---------------------| Building Rule: 2008026 -------- Hex Payload Start ---------- 42 41 47 4c 41 4e 54 49 3f --------- Hex Payload End ----------- |---------------------| Building Rule: 2008027 -------- Hex Payload Start ---------- 42 52 4f 57 53 20 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008028 -------- Hex Payload Start ---------- 20 20 00 00 6d 65 74 69 6e 0d 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008029 -------- Hex Payload Start ---------- 6e 78 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008030 -------- Hex Payload Start ---------- 6e 78 74 09 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009458 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2009521 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- .asp\?username=.+&serverMac=([0-9A-F]{2}-){5}[0-9A-F]{2}&edition= NOT IMPL not _simple(av) in REPEATING CODES uricontent:"0asp?username=0&serverMac=00&edition="; |---------------------| Building Rule: 2009532 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 26 65 64 69 74 69 6f 6e 3d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"&ver="; http_client_body; content:"&MAX_EXECUTE_TIME="; http_client_body; fast_pattern; content:"&RELOAD_JOBS="; http_client_body; content:"&BROWSER_DELAY="; http_client_body; content:"&CONTROL_PAGE"; http_client_body; content:"&lastlogcount"; http_client_body; content:"&min_captchasize"; http_client_body; content:"&botid"; http_client_body; content:"&REG_NAME"; http_client_body; content:"&botlogin="; http_client_body; reference:url,doc.emergingthreats.net/2009830; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FWombot.A; classtype:trojan-activity; sid:2009830; rev:7;) Parser failed - skipping rule \/exe\.exe$ uricontent:"/exe.exe"; |---------------------| Building Rule: 2010741 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/smain\?scout=acxc[a-z]{3}$ uricontent:"/smain?scout=acxcaaa"; |---------------------| Building Rule: 2010822 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010838 Error here within! -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 57 69 6e 33 32 3b 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 20 20 0d 0a 52 65 71 75 65 73 74 3a 20 20 72 75 6e 0d 0a --------- Hex Payload End ----------- \.php\?U=\d+@\d+@\d+@\d+@\d+@[a-f0-9]+$ uricontent:".php?U=0@0@0@0@0@a"; |---------------------| Building Rule: 2010975 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007698 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- \?sid=[0-9A-F]{180} uricontent:"?sid=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2007142 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007285 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008377 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008863 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008573 -------- Hex Payload Start ---------- 76 69 72 75 73 63 61 74 63 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008527 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 74 61 74 69 73 74 69 63 61 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2003603 -------- Hex Payload Start ---------- 4a 4f 49 4e 20 26 76 69 72 74 75 --------- Hex Payload End ----------- .asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})+&ver=\d NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"0asp?mac=&ver=0"; |---------------------| Building Rule: 2009374 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- .asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2}) NOT IMPL not _simple(av) in REPEATING CODES uricontent:"0asp?mac=00"; |---------------------| Building Rule: 2009457 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 --------- Hex Payload End ----------- n=[0-9A-F]{12,24} uricontent:"n=000000000000"; |---------------------| Building Rule: 2009444 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009808 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009829 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007573 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007989 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007990 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008082 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008976 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008977 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174; classtype:trojan-activity; sid:2009174; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2010490 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 29 20 57 69 6e 4e 54 20 35 2e 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2002857 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002782 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002781 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac Beacon Traffic Detected"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"Referer|3a| Mozilla|0d 0a|"; nocase; http_header; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; content:"a="; nocase; http_client_body; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; reference:url,doc.emergingthreats.net/2008958; classtype:trojan-activity; sid:2008958; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2003180 -------- Hex Payload Start ---------- 20 50 4f 53 54 --------- Hex Payload End ----------- \/chr\/\d+\/e\/t\d+\?lid= uricontent:"/chr/0/e/t0?lid="; |---------------------| Building Rule: 2003436 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006448 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007608 -------- Hex Payload Start ---------- 9a 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=i&k="; http_client_body; reference:url,doc.emergingthreats.net/2008003; classtype:trojan-activity; sid:2008003; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=c&s="; http_client_body; reference:url,doc.emergingthreats.net/2008004; classtype:trojan-activity; sid:2008004; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2007663 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 63 68 61 6f 6e 0d 0a --------- Hex Payload End ----------- \/log\/proc\.php.key=[a-z0-9]{11} uricontent:"/log/proc.php0key=aaaaaaaaaaa"; |---------------------| Building Rule: 2008185 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2007966 -------- Hex Payload Start ---------- 16 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008319 -------- Hex Payload Start ---------- 50 4f 53 54 20 3d 22 62 6f 74 75 72 6c 22 20 3d 22 66 69 6c 65 6e 61 6d 65 22 20 3d 22 63 6f 6d 70 69 70 73 22 20 3d 22 6c 6f 61 64 65 72 6e 61 6d 65 22 20 3d 22 6c 6f 61 64 65 72 69 64 22 20 3d 22 75 70 74 69 6d 65 22 20 3d 22 63 6f 6d 70 74 69 6d 65 22 20 3d 22 77 69 6e 76 65 72 22 --------- Hex Payload End ----------- mac=([0-9A-F]{2}:){5}([0-9A-F]{2}) NOT IMPL not _simple(av) in REPEATING CODES uricontent:"mac=00"; |---------------------| Building Rule: 2008949 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- mac=([0-9A-F]{2}:){5}([0-9A-F]{2}) NOT IMPL not _simple(av) in REPEATING CODES uricontent:"mac=00"; |---------------------| Building Rule: 2008952 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008950 -------- Hex Payload Start ---------- 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 0d 0a 0d 0a 78 78 79 79 73 69 67 6e 0d 0a 78 78 79 79 4d 79 49 50 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008951 -------- Hex Payload Start ---------- 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 0d 0a 0d 0a 78 78 79 79 73 69 67 6e 0d 0a 78 78 79 79 55 73 65 72 4e 61 6d 65 50 61 73 73 57 6f 72 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008321 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007609 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 78 53 6f 63 6b 20 43 6f 6e 66 69 67 --------- Hex Payload End ----------- port=\d uricontent:"port=0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; uricontent:"port=0"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:trojan-activity; sid:2007610; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2009825 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 35 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 32 2e 31 3b 20 53 56 33 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009896 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 73 74 61 6c 6c 4e 6f 74 69 66 79 2f 31 2e 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010240 -------- Hex Payload Start ---------- 48 45 41 44 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010241 -------- Hex Payload Start ---------- 47 45 54 20 20 20 54 41 4c 57 69 6e 49 6e 65 74 48 54 54 50 43 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010242 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2010261 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 54 41 4c 57 69 6e 48 74 74 70 43 6c 69 65 6e 74 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008250 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002940 -------- Hex Payload Start ---------- 58 2d 4d 61 69 6c 65 72 3a 20 4a 4d 61 69 6c 20 34 2e 33 2e 30 20 46 72 65 65 20 56 65 72 73 69 6f 6e 20 62 79 20 44 69 6d 61 63 20 3c 48 32 3d 33 45 41 62 6f 75 74 20 74 68 65 20 75 73 65 20 6f 66 20 74 68 65 20 50 43 3c 2f 48 32 3d 33 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002942 -------- Hex Payload Start ---------- 58 2d 4d 61 69 6c 65 72 3a 20 4a 4d 61 69 6c 20 34 2e 33 2e 30 20 46 72 65 65 20 56 65 72 73 69 6f 6e 20 62 79 20 44 69 6d 61 63 20 3c 48 32 3d 33 45 41 62 6f 75 74 20 74 68 65 20 75 73 65 20 6f 66 20 74 68 65 20 50 43 3c 2f 48 32 3d 33 45 --------- Hex Payload End ----------- queryid=\d+$ uricontent:"queryid=0"; |---------------------| Building Rule: 2008049 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009557 -------- Hex Payload Start ---------- e8 03 00 00 00 eb 01 20 bb 55 00 00 00 e8 03 00 00 00 eb 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008752 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 4f 4b 20 41 67 65 6e 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2008753 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008661 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zbot/Zeus or Related Infection Checkin"; flow:established,to_server; content:"btn="; http_uri; content:"q="; http_uri; content:"SOFT"; http_client_body; reference:url,doc.emergingthreats.net/2008665; classtype:trojan-activity; sid:2008665; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2009213 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 48 6f 73 74 3a 20 6b 6e 6f 63 6b 65 72 20 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009448 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007769 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zhelatin npopup Update Detected"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/server/npopup/"; nocase; http_uri; content:"data="; http_client_body; nocase; content:"&key="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2007787; classtype:trojan-activity; sid:2007787; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2003632 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 6e 74 65 72 6e 65 74 73 65 63 75 72 69 74 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2006441 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 6c 6f 67 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2007567 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 75 6e 6b 6e 6f 77 6e 20 2e 20 2e --------- Hex Payload End ----------- code=[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2} uricontent:"code=00-00-00-00-00-00"; |---------------------| Building Rule: 2007568 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- Code=\d uricontent:"Code=0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; uricontent:"Code=0"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2008386 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008396 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009022 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 65 63 75 72 69 74 79 69 6e 74 65 72 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008420 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN s4t4n1c Trojan Check-in"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".php"; http_uri; content:"continencia="; http_client_body; content:"&versao_kl="; http_client_body; content:"&data="; http_client_body; content:"&hora="; http_client_body; content:"&nome_maquina="; http_client_body; reference:url,doc.emergingthreats.net/2009518; classtype:trojan-activity; sid:2009518; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2008482 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008329 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003588 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 6b 77 30 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007914 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 0d 0a 0d 0a 71 75 65 6d 3d 64 6f 64 6f 69 26 74 69 74 3d 26 74 78 74 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2008020 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 0d 0a 0d 0a 70 72 6f 63 3d 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2003474 -------- Hex Payload Start ---------- 52 45 47 49 53 54 45 52 0d 0a 2f --------- Hex Payload End ----------- type both , track by_src, count 100, seconds 60 |---------------------| Building Rule: 2003192 -------- Hex Payload Start ---------- 49 4e 56 49 54 45 --------- Hex Payload End ----------- type both , track by_src, count 100, seconds 60 |---------------------| Building Rule: 2009698 -------- Hex Payload Start ---------- 49 4e 56 49 54 45 --------- Hex Payload End ----------- type both , track by_src, count 100, seconds 60 |---------------------| Building Rule: 2003193 -------- Hex Payload Start ---------- 52 45 47 49 53 54 45 52 --------- Hex Payload End ----------- type both , track by_src, count 100, seconds 60 |---------------------| Building Rule: 2009699 -------- Hex Payload Start ---------- 52 45 47 49 53 54 45 52 --------- Hex Payload End ----------- ^\/g($|[?#]) uricontent:"/g"; |---------------------| Building Rule: 2003329 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 62 61 63 6b 3d 2b 2b 42 61 63 6b 2b 2b --------- Hex Payload End ----------- \r?\n\r?\n content:" "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2008640 -------- Hex Payload Start ---------- 52 45 47 49 53 54 45 52 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 61 63 6b 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008641 -------- Hex Payload Start ---------- 73 69 70 3a 74 68 69 73 69 73 74 68 65 63 61 6e 61 72 79 40 20 20 20 20 20 20 20 20 20 20 73 69 70 3a 74 65 73 74 40 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2003194; classtype:attempted-dos; sid:2003194; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses UDP"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2009700; classtype:attempted-dos; sid:2009700; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2007903 -------- Hex Payload Start ---------- 32 31 30 44 30 43 42 43 2d 38 42 31 37 2d 34 38 44 31 2d 42 32 39 34 2d 31 41 33 33 38 44 44 32 45 42 33 41 20 30 78 34 30 30 30 30 20 55 72 6c --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414 content:"<OBJECT classid=clsid:189504B8-50D1-4AA8-B4D6-95C8F58A6414"; |---------------------| Building Rule: 2010039 -------- Hex Payload Start ---------- 31 38 39 35 30 34 42 38 2d 35 30 44 31 2d 34 41 41 38 2d 42 34 44 36 2d 39 35 43 38 46 35 38 41 36 34 31 34 20 53 65 74 53 75 70 65 72 42 75 64 64 79 20 2f 2f 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 31 38 39 35 30 34 42 38 2d 35 30 44 31 2d 34 41 41 38 2d 42 34 44 36 2d 39 35 43 38 46 35 38 41 36 34 31 34 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC8A96C6-3909-11D5-9001-00C04F4C3B9F content:"<OBJECT classid=clsid:BC8A96C6-3909-11D5-9001-00C04F4C3B9F"; |---------------------| Building Rule: 2010814 -------- Hex Payload Start ---------- 42 43 38 41 39 36 43 36 2d 33 39 30 39 2d 31 31 44 35 2d 39 30 30 31 2d 30 30 43 30 34 46 34 43 33 42 39 46 20 42 69 6e 64 54 6f 46 69 6c 65 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 42 43 38 41 39 36 43 36 2d 33 39 30 39 2d 31 31 44 35 2d 39 30 30 31 2d 30 30 43 30 34 46 34 43 33 42 39 46 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011245 -------- Hex Payload Start ---------- 25 50 44 46 2d 3c 3c 0d 0a 20 2f 74 79 70 65 20 2f 61 63 74 69 6f 6e 0d 0a 20 2f 73 20 2f 6c 61 75 6e 63 68 0d 0a 20 2f 77 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011246 -------- Hex Payload Start ---------- 25 50 44 46 2d 53 74 72 52 65 76 65 72 73 65 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010245 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 41 6c 74 69 72 69 73 2e 41 65 58 4e 53 43 6f 6e 73 6f 6c 65 55 74 69 6c 69 74 69 65 73 20 42 72 6f 77 73 65 41 6e 64 53 61 76 65 46 69 6c 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|22|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003326; classtype:attempted-admin; sid:2003326; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|27|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003327; classtype:attempted-admin; sid:2003327; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; flow:established,from_server; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007703; classtype:attempted-user; sid:2007703; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007704; classtype:attempted-user; sid:2007704; rev:6;) Parser failed - skipping rule pathForArdeaCore=\s*(ftps?|https?|php)\:\/ uricontent:"pathForArdeaCore=ftp:/"; |---------------------| Building Rule: 2011214 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009857 -------- Hex Payload Start ---------- 31 37 41 35 34 45 37 44 2d 41 39 44 34 2d 31 31 44 38 2d 39 35 35 32 2d 30 30 45 30 34 43 42 30 39 39 30 33 20 53 63 65 6e 65 55 52 4c --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011215 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011216 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011217 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011218 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011219 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- .*\.(ini|exe|dll|bat|com|cab|txt) content:".ini"; |---------------------| Building Rule: 2008099 -------- Hex Payload Start ---------- 42 39 37 33 33 39 33 46 2d 32 37 43 37 2d 34 37 38 31 2d 38 37 37 44 2d 38 36 32 36 41 41 45 44 46 31 31 39 20 2e 69 6e 69 20 53 61 76 65 4c 61 73 74 45 72 72 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010514 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 31 20 55 6e 61 75 74 68 6f 72 69 7a 65 64 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010516 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010520 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010522 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 36 20 4e 6f 74 20 41 63 63 65 70 74 61 62 6c 65 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010525 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010527 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true content:"Type/Action0Launch0(/a/a0NewWindow true"; |---------------------| Building Rule: 2010878 -------- Hex Payload Start ---------- 0d 0a 0d 0a 25 50 44 46 2d 54 79 70 65 2f 41 63 74 69 6f 6e 20 4c 61 75 6e 63 68 4e 65 77 57 69 6e 64 6f 77 20 74 72 75 65 20 54 79 70 65 2f 41 63 74 69 6f 6e 30 4c 61 75 6e 63 68 30 28 2f 61 2f 61 30 4e 65 77 57 69 6e 64 6f 77 20 74 72 75 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001811 -------- Hex Payload Start ---------- 31 30 30 2c 31 31 31 2c 39 39 2c 31 31 37 2c 31 30 39 2c 31 30 31 2c 31 31 30 2c 31 31 36 2c 34 36 2c 31 31 39 2c 31 31 34 2c 31 30 35 2c 31 31 36 2c 31 30 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008683 -------- Hex Payload Start ---------- 33 39 46 44 41 30 37 30 2d 36 31 42 41 2d 31 31 44 32 2d 41 44 38 34 2d 30 30 31 30 35 41 31 37 42 36 30 38 25 35 46 25 44 43 25 30 32 25 31 30 25 63 63 20 53 65 63 72 65 74 4b 65 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010757 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:5;) Parser failed - skipping rule \x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E content:"<location=0smb://00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</location>"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; content:"<location=0smb://00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</location>"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2001622 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6f 6c 65 6f 62 6a 65 63 74 20 63 6f 64 65 62 61 73 65 3d 20 68 68 63 74 72 6c 2e 6f 63 78 --------- Hex Payload End ----------- (javascript|http|ftp|vbscript) content:"javascript"; |---------------------| Building Rule: 2001623 -------- Hex Payload Start ---------- 3c 50 41 52 41 4d 20 76 61 6c 75 65 3d 20 63 6f 6d 6d 61 6e 64 3b 20 6a 61 76 61 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001624 -------- Hex Payload Start ---------- 2e 48 48 43 6c 69 63 6b 28 29 --------- Hex Payload End ----------- \x7C\x7C.+[a-z] uricontent:"||0a"; |---------------------| Building Rule: 2010159 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"ViewState=0script"; |---------------------| Building Rule: 2011145 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- migrate\s*=\s*\| uricontent:"migrate=|"; |---------------------| Building Rule: 2002900 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (f=.+\|) uricontent:"f=0|"; |---------------------| Building Rule: 2002362 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (f=\.\..+) uricontent:"f=..0"; |---------------------| Building Rule: 2002685 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- file=.*\| uricontent:"file=|"; |---------------------| Building Rule: 2003086 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- file=.+\.\..+\| uricontent:"file=0..0|"; |---------------------| Building Rule: 2003087 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"script"; |---------------------| Building Rule: 2010462 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009714 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009715 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010621 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 5a 33 32 74 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011174 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 7a 78 74 32 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011175 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 61 73 70 65 72 20 42 6f 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011243 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 6c 61 4e 45 54 57 4f 52 4b 20 42 6f 74 20 53 65 61 72 63 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011244 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 37 36 20 5b 72 75 5d 20 28 58 31 31 3b 20 55 3b 20 53 75 6e 4f 53 20 35 2e 37 20 73 75 6e 34 75 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011285 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4a 63 6f 6d 65 72 73 20 42 6f 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011286 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 4d 61 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010229 -------- Hex Payload Start ---------- 47 45 54 20 2f 41 55 58 20 48 54 54 50 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2002721 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004556 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010457 -------- Hex Payload Start ---------- 2b 43 53 43 4f 45 2b 2f 66 69 6c 65 73 2f 62 72 6f 77 73 65 2e 68 74 6d 6c 20 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"script"; |---------------------| Building Rule: 2010460 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010622 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z] uricontent:"/level/15/exec/-/a"; |---------------------| Building Rule: 2010623 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010730 -------- Hex Payload Start ---------- 43 53 43 4f 5f 57 65 62 56 50 4e 20 63 73 63 6f 5f 77 72 61 70 5f 6a 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009484 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- \x2Fcgi\x2Dbin\x2F\x3B.+[a-z] uricontent:"/cgi-bin/;0a"; |---------------------| Building Rule: 2009678 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003616 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 61 74 61 43 68 61 30 73 --------- Hex Payload End ----------- SoapAction\x3A.+\x2FHNAP1\x2F(set|get)DeviceSettings content:"SoapAction:0/HNAP1/setDeviceSettings"; |---------------------| Building Rule: 2010698 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 53 4f 41 50 41 63 74 69 6f 6e 3a 20 44 65 76 69 63 65 53 65 74 74 69 6e 67 73 20 53 6f 61 70 41 63 74 69 6f 6e 3a 30 2f 48 4e 41 50 31 2f 73 65 74 44 65 76 69 63 65 53 65 74 74 69 6e 67 73 --------- Hex Payload End ----------- BaseTarget=.*?\" uricontent:"BaseTarget=""; |---------------------| Building Rule: 2002376 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- src=.*\"><\/FRAMESET>.*<script>.*<\/script> uricontent:"src="></FRAMESET><script></script>"; |---------------------| Building Rule: 2002377 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; content:"401"; http_stat_code; content:"Unauthorized"; nocase; content:"|0d 0a 0d 0a|"; content:"<script"; nocase; within:280; threshold:type threshold,track by_src,count 10,seconds 60; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2010515 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010517 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010519 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010521 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 34 30 36 20 4e 6f 74 20 41 63 63 65 70 74 61 62 6c 65 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010524 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010526 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 31 20 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 0d 0a 20 3c 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009361 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009362 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- chmod\s+([+-][rwx]|[0-7]) uricontent:"chmod%20+r"; |---------------------| Building Rule: 2009363 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply uricontent:"script0Apply=Apply"; |---------------------| Building Rule: 2010919 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- node=.*\|.+\| content:"node=|0|"; Parser failed - skipping rule |---------------------| Building Rule: 2008171 -------- Hex Payload Start ---------- 47 45 54 20 20 41 63 74 69 6f 6e 3d 2e 2e 2f 2e 2e 2f 20 48 54 54 50 2f 31 --------- Hex Payload End ----------- \x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600} content:"/OvCgi/Main/Snmp.exe0id=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/OvCgi/Main/Snmp.exe"; http_uri; nocase; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; content:"/OvCgi/Main/Snmp.exe0id=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; classtype:web-application-attack; sid:2010687; rev:5;) Parser failed - skipping rule \x2FOvCgi\x2Fovalarm\x2Eexe.+OVABverbose=(1|on|true).+Accept-Language\x3A\x20.{100} content:"/OvCgi/ovalarm.exe0OVABverbose=10Accept-Language: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/OvCgi/ovalarm.exe"; nocase; uricontent:"OVABverbose="; nocase; content:"Accept-Language|3A 20|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; content:"/OvCgi/ovalarm.exe0OVABverbose=10Accept-Language: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; classtype:web-application-attack; sid:2010704; rev:5;) Parser failed - skipping rule Accept-Language\x3A.{1350}.+Content-Length\x3A content:"Accept-Language:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Content-Length:"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/OvCgi/Toolbar.exe"; nocase; content:"Accept-Language|3A|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; content:"Content-Length|3A|"; nocase; distance:1350; content:"Accept-Language:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Content-Length:"; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; classtype:web-application-attack; sid:2010864; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/OvCgi/OvWebHelp.exe"; nocase; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; classtype:web-application-attack; sid:2010970; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2001365 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001343 -------- Hex Payload Start ---------- 47 45 54 20 25 35 43 20 61 73 70 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010592 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010593 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000559 -------- Hex Payload Start ---------- 54 48 43 4f 57 4e 5a 49 49 53 21 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010379 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 61 63 74 69 6f 6e 3d 69 6e 76 6f 6b 65 4f 70 26 6e 61 6d 65 3d 6a 62 6f 73 73 2e 64 65 70 6c 6f 79 6d 65 6e 74 20 66 6c 61 76 6f 72 25 32 35 33 44 55 52 4c 25 32 35 32 43 74 79 70 65 25 32 35 33 44 44 65 70 6c 6f 79 6d 65 6e 74 53 63 61 6e 6e 65 72 20 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010380 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010162 -------- Hex Payload Start ---------- 4a 75 6e 69 70 65 72 20 4e 65 74 77 6f 72 6b 73 2c 20 49 6e 63 20 56 65 72 73 69 6f 6e 3a 53 63 72 65 65 6e 4f 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010863 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 64 65 6c 42 61 63 6b 75 70 4e 61 6d 65 62 61 63 6b 75 70 52 65 73 74 6f 72 65 46 6f 72 6d 53 75 62 6d 69 74 74 65 64 --------- Hex Payload End ----------- date=\d{8}\)\;. uricontent:"date=00000000);0"; |---------------------| Building Rule: 2002777 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001768 -------- Hex Payload Start ---------- 4d 69 63 72 6f 73 6f 66 74 20 4f 4c 45 20 44 42 20 50 72 6f 76 69 64 65 72 20 66 6f 72 20 53 51 4c 20 53 65 72 76 65 72 20 65 72 72 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010004 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2000105 -------- Hex Payload Start ---------- 73 70 5f 70 61 73 73 77 6f 72 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2000106 -------- Hex Payload Start ---------- 73 70 5f 64 65 6c 65 74 65 5f 61 6c 65 72 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009815 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (start|stop|continue|pause|querystate) uricontent:"start"; |---------------------| Building Rule: 2009816 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009817 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- xp_reg(read|write|delete) uricontent:"xp_regread"; |---------------------| Building Rule: 2009818 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009819 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009820 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009822 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains) uricontent:"xp_enumdsn"; |---------------------| Building Rule: 2009823 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003466 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 72 66 65 75 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009799 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 20 46 75 63 6b 69 6e 67 20 53 63 61 6e 6e 65 72 --------- Hex Payload End ----------- ping\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B) uricontent:"ping=0.0.0.0"; |---------------------| Building Rule: 2009670 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002864 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\/ uricontent:"showenv?CUSTOMIZE=/"; |---------------------| Building Rule: 2002131 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\/ uricontent:"showenv?destype=filedesformat=/"; |---------------------| Building Rule: 2002132 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep) uricontent:"showenv?report=.rdf"; |---------------------| Building Rule: 2002133 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- <?(java|vb)?script>? NOT IMPL not _simple(av) in REPEATING CODES content:"script"; |---------------------| Building Rule: 2009643 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 73 65 61 72 63 68 2f 71 75 65 72 79 2f 73 65 61 72 63 68 20 73 65 61 72 63 68 5f 70 5f 67 72 6f 75 70 73 3d 20 73 63 72 69 70 74 20 73 63 72 69 70 74 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES content:"script<0/script"; |---------------------| Building Rule: 2009644 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 63 6f 6e 73 6f 6c 65 68 65 6c 70 2f 63 6f 6e 73 6f 6c 65 2d 68 65 6c 70 2e 70 6f 72 74 61 6c 20 73 65 61 72 63 68 51 75 65 72 79 3d 20 73 63 72 69 70 74 20 73 63 72 69 70 74 3c 30 2f 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011141 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011142 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011143 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011144 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [&?]cmd=[^\x26\x28]*(?:cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp) uricontent:"&cmd="; |---------------------| Building Rule: 2010920 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- \x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F uricontent:".php?=https:/#?"; |---------------------| Building Rule: 2009152 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F uricontent:".php?=ftp:/#?"; |---------------------| Building Rule: 2009153 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F uricontent:".php?=ftp:/#?"; |---------------------| Building Rule: 2009155 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009288 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 72 65 76 6f 6c 74 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006443 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006444 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT\b.*FROM uricontent:"SELECTFROM"; |---------------------| Building Rule: 2006445 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2006446 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d uricontent:"UPDATE%20A!SET%20A="; |---------------------| Building Rule: 2006447 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008175 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008176 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2008467 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009029 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 56 33 32 74 73 --------- Hex Payload End ----------- INTO.+OUTFILE uricontent:"INTO0OUTFILE"; |---------------------| Building Rule: 2010037 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ALTER\ +(database|procedure|table|column) uricontent:"ALTER%20database"; |---------------------| Building Rule: 2010084 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DROP\ +(database|procedure|table|column) uricontent:"DROP%20database"; |---------------------| Building Rule: 2010085 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- CREATE\ +(database|procedure|table|column|directory) uricontent:"CREATE%20database"; |---------------------| Building Rule: 2010086 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+INSTR uricontent:"SELECT0INSTR"; |---------------------| Building Rule: 2010284 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+SUBSTR uricontent:"SELECT0SUBSTR"; |---------------------| Building Rule: 2010285 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT[^a-z]+USER uricontent:"SELECT#USER"; |---------------------| Building Rule: 2010963 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SHOW.+CHARACTER.+SET uricontent:"SHOW0CHARACTER0SET"; |---------------------| Building Rule: 2010964 -------- Hex Payload Start ---------- 53 45 54 --------- Hex Payload End ----------- SHOW.+VARIABLES uricontent:"SHOW0VARIABLES"; |---------------------| Building Rule: 2010965 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SHOW.+CUR(DATE|TIME) uricontent:"SHOW0CURDATE"; |---------------------| Building Rule: 2010966 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SHOW.+TABLES uricontent:"SHOW0TABLES"; |---------------------| Building Rule: 2010967 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011035 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011037 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+VALUES uricontent:"INSERT0VALUES"; |---------------------| Building Rule: 2011039 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- BENCHMARK\x28[0-9].+\x29 uricontent:"BENCHMARK(00)"; |---------------------| Building Rule: 2011041 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+CONCAT uricontent:"SELECT0CONCAT"; |---------------------| Building Rule: 2011042 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [^\w]REVERSE[^\w]?\( uricontent:"#REVERSE("; |---------------------| Building Rule: 2011122 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009485 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003903 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003904 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"cid0=0script"; |---------------------| Building Rule: 2011073 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010667 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011015 -------- Hex Payload Start ---------- 55 4e 4c 4f 43 4b 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 43 6c 6f 73 65 20 4c 6f 63 6b 2d 74 6f 6b 65 6e 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2009955 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009949 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009950 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009951 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009952 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009953 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010820 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebDAV search overflow"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; isdataat:1000,relative; content:!"|0a|"; within:1000; reference:cve,2003-0109; reference:url,doc.emergingthreats.net/2002844; classtype:web-application-attack; sid:2002844; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2010720 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2002667 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010794 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- page_include=\s*(https?|ftps?|php)\:\/ uricontent:"page_include=http:/"; |---------------------| Building Rule: 2009717 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007510 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007511 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007512 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007513 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007514 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007515 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007516 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007517 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007518 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007519 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007520 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007521 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007522 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007523 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007524 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007525 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007526 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007527 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007528 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007529 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007530 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007531 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007532 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007533 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007534 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007535 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007536 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007537 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007538 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007539 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007540 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007541 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007542 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007543 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007544 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007545 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007546 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007547 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007548 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007549 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007550 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007551 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007552 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007553 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007554 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007555 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007556 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007557 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007558 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007559 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007560 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007561 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007562 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007563 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009734 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- LibDir=\s*(ftps?|https?|php)\:\/ uricontent:"LibDir=ftp:/"; |---------------------| Building Rule: 2011164 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- LibDir=\s*(ftps?|https?|php)\:\/ uricontent:"LibDir=ftp:/"; |---------------------| Building Rule: 2011165 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- LibDir=\s*(ftps?|https?|php)\:\/ uricontent:"LibDir=ftp:/"; |---------------------| Building Rule: 2011666 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- LibDir=\s*(ftps?|https?|php)\:\/ uricontent:"LibDir=ftp:/"; |---------------------| Building Rule: 2011167 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010196 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004059 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004060 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004061 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004062 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004063 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004064 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004071 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004072 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004073 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004074 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004075 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004076 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007217 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007218 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007219 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007220 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007221 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007222 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005057 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005058 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005059 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005060 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005061 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005062 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003905 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003906 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003907 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003908 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003909 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003910 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003911 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003912 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003704 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003736 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003886 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003887 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005573 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005574 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005575 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005576 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005577 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005578 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005579 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005580 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005581 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005582 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005583 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005584 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A) uricontent:".php?=http:"; |---------------------| Building Rule: 2010080 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2004529 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+?SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004530 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004531 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004532 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004533 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004534 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004535 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+?SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004536 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004537 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004538 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004539 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004540 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004541 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004542 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004543 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004544 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004545 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004546 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004547 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005177 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004548 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004549 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004550 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004551 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"script"; |---------------------| Building Rule: 2010507 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"script"; |---------------------| Building Rule: 2010862 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004594 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006819 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006820 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006821 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006822 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006823 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006824 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006825 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006826 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006827 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006828 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006829 -------- Hex Payload Start ---------- 20 20 41 53 43 49 49 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006830 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006831 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006832 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006833 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006834 -------- Hex Payload Start ---------- 20 20 44 45 4c 45 54 45 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006835 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006836 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006837 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006838 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006839 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006840 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006841 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006842 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006843 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006844 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006845 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006846 -------- Hex Payload Start ---------- 20 20 44 45 4c 45 54 45 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006847 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006848 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006849 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006850 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006851 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006852 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006853 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006854 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006855 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006856 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006857 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006858 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006859 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006860 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005105 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005106 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005107 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005108 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005109 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005110 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005164 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005165 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005166 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005167 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005168 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005169 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005170 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005171 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005172 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005173 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005174 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005175 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005883 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005884 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005885 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005886 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005887 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005888 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007000 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007001 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007002 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007003 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007004 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007005 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011200 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 38 32 31 34 42 37 32 45 2d 42 30 43 44 2d 34 36 36 45 2d 41 34 34 44 2d 31 44 35 34 44 39 32 36 30 33 38 44 20 53 65 6e 64 43 6f 6d 6d 61 6e 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011201 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 38 32 31 34 42 37 32 45 2d 42 30 43 44 2d 34 36 36 45 2d 41 34 34 44 2d 31 44 35 34 44 39 32 36 30 33 38 44 20 4c 6f 67 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011202 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 38 32 31 34 42 37 32 45 2d 42 30 43 44 2d 34 36 36 45 2d 41 34 34 44 2d 31 44 35 34 44 39 32 36 30 33 38 44 20 53 6e 61 70 73 68 6f 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011203 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 38 32 31 34 42 37 32 45 2d 42 30 43 44 2d 34 36 36 45 2d 41 34 34 44 2d 31 44 35 34 44 39 32 36 30 33 38 44 20 5f 44 6f 77 6e 6c 6f 61 64 50 42 4f 70 65 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011204 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 38 32 31 34 42 37 32 45 2d 42 30 43 44 2d 34 36 36 45 2d 41 34 34 44 2d 31 44 35 34 44 39 32 36 30 33 38 44 20 5f 44 6f 77 6e 6c 6f 61 64 50 42 43 6c 6f 73 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011205 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 38 32 31 34 42 37 32 45 2d 42 30 43 44 2d 34 36 36 45 2d 41 34 34 44 2d 31 44 35 34 44 39 32 36 30 33 38 44 20 5f 44 6f 77 6e 6c 6f 61 64 50 42 43 6f 6e 74 72 6f 6c --------- Hex Payload End ----------- (SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen) content:"SendCommand"; |---------------------| Building Rule: 2011206 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 41 56 43 37 38 31 56 69 65 77 65 72 2e 43 56 37 38 31 4f 62 6a 65 63 74 20 53 65 6e 64 43 6f 6d 6d 61 6e 64 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009185 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- (join|lostpw)\.php\? uricontent:"join.php?"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt"; flow:established,to_server; content:"CONFIG[PATH]="; nocase; http_uri; uricontent:"join.php?"; pcre:"/&CONFIG\x5bpath\x5d=(https?|ftps?|php)\:/Ui"; reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158; reference:url,doc.emergingthreats.net/2002901; classtype:web-application-attack; sid:2002901; rev:7;) Parser failed - skipping rule SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004319 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004320 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004321 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004322 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004323 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004324 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007392 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007393 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007394 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007395 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007396 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007397 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007398 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007399 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007400 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007401 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007402 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007403 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010131 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010132 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010133 -------- Hex Payload Start ---------- 49 4e 53 45 52 54 20 49 4e 54 4f --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010134 -------- Hex Payload Start ---------- 44 45 4c 45 54 45 20 46 52 4f 4d --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010135 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- config_atkroot\s*=\s*(https?|ftps?|php)\:\/ uricontent:"config_atkroot=http:/"; |---------------------| Building Rule: 2010354 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007476 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007477 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007478 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007479 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007480 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007481 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007482 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007483 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007564 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007484 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007485 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007486 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007487 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007488 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007489 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007490 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007491 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007492 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007493 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007494 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007495 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007496 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007497 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007498 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007499 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007500 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007501 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007502 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007503 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007565 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009377 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- theme_directory=\s*(https?|ftps?|php)\:\/ uricontent:"theme_directory=http:/"; |---------------------| Building Rule: 2009378 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- theme_directory=\s*(https?|ftps?|php)\:\/ uricontent:"theme_directory=http:/"; |---------------------| Building Rule: 2009379 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009380 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- forumspath=\s*(https?|ftps?|php)\:\/ uricontent:"forumspath=http:/"; |---------------------| Building Rule: 2009903 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009904 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- sitepath=\s*(https?|ftps?|php)\:\/ uricontent:"sitepath=http:/"; |---------------------| Building Rule: 2009167 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010022 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010194 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- index.template.html.+(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"index0template0html0script"; |---------------------| Building Rule: 2010214 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010705 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 41 63 72 6f 50 44 46 4c 69 62 2e 41 63 72 6f 50 44 46 20 73 72 63 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000 content:"<OBJECT classid=clsid:CA8A9780-280D-11CF-A24D-444553540000"; |---------------------| Building Rule: 2010726 -------- Hex Payload Start ---------- 63 6c 73 69 64 43 41 38 41 39 37 38 30 2d 32 38 30 44 2d 31 31 43 46 2d 41 32 34 44 2d 34 34 34 35 35 33 35 34 30 30 30 30 20 73 72 63 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 43 41 38 41 39 37 38 30 2d 32 38 30 44 2d 31 31 43 46 2d 41 32 34 44 2d 34 34 34 35 35 33 35 34 30 30 30 30 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003897 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003898 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003899 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003900 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003901 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003915 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- loadadminpage=\s*(https?|ftps?|php)\:\/ uricontent:"loadadminpage=http:/"; |---------------------| Building Rule: 2009382 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008785 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009424 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- pathtoserverdata\s*=\s*(https?|ftps?|php)\:\/ uricontent:"pathtoserverdata=http:/"; |---------------------| Building Rule: 2010362 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004887 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004888 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004889 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004890 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004891 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004892 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004893 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004894 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004895 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004896 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004897 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004898 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005772 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005773 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005774 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005775 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005776 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005777 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008787 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004022 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \+UNION\+SELECT uricontent:"+UNION+SELECT"; |---------------------| Building Rule: 2008439 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009228 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004717 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004718 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004719 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004720 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004721 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004723 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006560 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006561 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006562 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006564 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006565 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006566 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006567 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006568 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006569 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006570 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006571 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006572 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006573 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006574 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006575 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006576 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006577 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006578 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006579 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006580 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006581 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006582 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006583 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006584 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006585 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006586 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006587 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006588 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006589 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006590 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"script"; |---------------------| Building Rule: 2010146 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011114 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407 content:"<OBJECT classid=clsid:5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; |---------------------| Building Rule: 2010921 -------- Hex Payload Start ---------- 63 6c 73 69 64 35 41 30 37 34 42 32 42 2d 46 38 33 30 2d 34 39 44 45 2d 41 33 31 42 2d 35 42 42 39 44 37 46 36 42 34 30 37 20 53 68 6f 72 74 46 6f 72 6d 61 74 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 35 41 30 37 34 42 32 42 2d 46 38 33 30 2d 34 39 44 45 2d 41 33 31 42 2d 35 42 42 39 44 37 46 36 42 34 30 37 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008936 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006783 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006784 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006785 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006786 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006787 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006788 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006789 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006790 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006791 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006792 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006793 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006794 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008669 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001949 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004724 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004725 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004726 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004727 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004728 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004729 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009186 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- master\[currentskin\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"master[currentskin]=http:/"; |---------------------| Building Rule: 2010198 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008650 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009718 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009747 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011692 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 37 46 31 34 41 39 45 45 2d 36 39 38 39 2d 31 31 44 35 2d 38 31 35 32 2d 30 30 43 30 34 46 31 39 31 46 43 41 20 49 6e 73 74 61 6c 6c 46 72 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011681 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 4e 4d 57 45 42 49 4e 53 54 2e 4e 4d 57 65 62 49 6e 73 74 43 74 72 6c 2e 31 20 49 6e 73 74 61 6c 6c 46 72 6f 6d --------- Hex Payload End ----------- (onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src) uricontent:"onmouse"; |---------------------| Building Rule: 2010082 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (configdir|update|pluginmode)=.*(\|.+\||system) uricontent:"configdir=|0|"; |---------------------| Building Rule: 2001686 Parser failed - skipping rule |---------------------| Building Rule: 2011722 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 63 6c 73 69 64 44 45 36 32 35 32 39 34 2d 37 30 45 36 2d 34 35 45 44 2d 42 38 39 35 2d 43 46 46 41 31 33 41 45 42 30 34 34 20 53 65 74 49 6d 61 67 65 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007452 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007453 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007454 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007455 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007456 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007457 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007458 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007459 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007460 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007461 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007462 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007463 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004331 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004332 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004333 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004334 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004335 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004336 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008724 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008896 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- class_dir=\s*(ftps?|https?|php)\:\/ uricontent:"class_dir=ftp:/"; |---------------------| Building Rule: 2009165 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- \/cgi-mod\/index\.cgi\?.*backup_username=[^&\;]*[>\"] uricontent:"/cgi-mod/index.cgi?backup_username=>"; |---------------------| Building Rule: 2010547 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/cgi-mod\/index\.cgi\?.*backup_server=[^&\;]*[>\"] uricontent:"/cgi-mod/index.cgi?backup_server=>"; |---------------------| Building Rule: 2010548 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/cgi-mod\/index\.cgi\?.*backup_path=[^&\;]*[>\"] uricontent:"/cgi-mod/index.cgi?backup_path=>"; |---------------------| Building Rule: 2010549 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/cgi-mod\/index\.cgi\?.*backup_password=[^&\;]*[>\"] uricontent:"/cgi-mod/index.cgi?backup_password=>"; |---------------------| Building Rule: 2010550 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009195 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- mj_config\[src_path\]=\s*(https?|ftps?|php)\:\/ uricontent:"mj_config[src_path]=http:/"; |---------------------| Building Rule: 2009196 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007211 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007212 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007213 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007214 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007215 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007216 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003738 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- page=\s*(https?|ftps?|php)\:\/ uricontent:"page=http:/"; |---------------------| Building Rule: 2009364 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009365 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003677 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009740 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009741 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009742 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009417 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009418 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009420 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009421 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009422 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009423 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2002069 -------- Hex Payload Start ---------- 0d 0a 78 2d 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- (script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"script"; |---------------------| Building Rule: 2010147 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006333 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006334 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006335 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006336 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006337 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006338 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004583 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004828 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004829 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004830 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004831 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004832 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004833 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- dir\[plugins\]=\s*(https?|ftps?|php)\:\/ uricontent:"dir[plugins]=http:/"; |---------------------| Building Rule: 2009370 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- dir\[plugins\]=\s*(https?|ftps?|php)\:\/ uricontent:"dir[plugins]=http:/"; |---------------------| Building Rule: 2009371 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- sIncPath=\s*(https?|ftps?|php)\:\/ uricontent:"sIncPath=http:/"; |---------------------| Building Rule: 2009372 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004023 -------- Hex Payload Start ---------- 20 20 53 45 4c 45 43 54 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004024 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004025 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004026 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004027 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004028 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004029 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004030 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004031 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004032 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004033 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004034 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004985 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004986 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004987 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004988 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004989 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004990 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004991 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004992 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004993 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004994 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004995 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004996 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008653 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003776 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003777 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003778 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003779 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003780 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003781 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006249 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006250 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006251 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006252 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006253 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006254 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006255 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006256 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006257 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006258 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006259 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006260 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006261 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006262 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006263 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006264 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006265 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006266 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006267 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006268 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006269 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006270 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006271 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006272 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006273 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006274 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006275 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006276 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006277 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006278 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009429 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008995 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003726 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003727 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003729 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003728 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003737 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009192 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003794 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003795 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003796 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003865 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003797 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003798 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- id_menu\x3d.+DELETE.+FROM uricontent:"id_menu=0DELETE0FROM"; |---------------------| Building Rule: 2009977 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009978 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- id_menu\x3d.+UPDATE.+SET uricontent:"id_menu=0UPDATE0SET"; |---------------------| Building Rule: 2009979 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009980 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (file=\|.+\|) content:"file=|0|"; Parser failed - skipping rule (graph_start=%0a.+%0a) content:"graph_start=%0a0%0a"; |---------------------| Building Rule: 2002313 -------- Hex Payload Start ---------- 20 67 72 61 70 68 5f 73 74 61 72 74 3d 25 30 61 30 25 30 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003334 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007889 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007890 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007891 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007892 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007893 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007894 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007895 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007896 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007897 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.*script uricontent:"script<script"; |---------------------| Building Rule: 2004559 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"alert"; |---------------------| Building Rule: 2011054 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008679 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008680 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006165 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006166 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006167 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006168 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006169 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006170 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006183 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006184 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006185 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006186 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006187 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006188 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004569 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004570 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007464 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007465 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007466 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007467 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007468 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007469 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007470 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007471 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007472 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007473 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007474 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007475 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008933 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- (script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"script"; |---------------------| Building Rule: 2010505 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- (script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"script"; |---------------------| Building Rule: 2010506 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- dest\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"dest=0script"; |---------------------| Building Rule: 2011676 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011763 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2009590 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2009591 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2009592 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2009593 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009594 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009595 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009596 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2009009 -------- Hex Payload Start ---------- 47 45 54 20 20 66 74 79 70 65 3d --------- Hex Payload End ----------- \/proxy\.php(\?|.*[\x26\x3B])url=[^&\;\x0D\x0A]*[<>\"\'] content:"/proxy.php?url=<"; |---------------------| Building Rule: 2010602 -------- Hex Payload Start ---------- 47 45 54 20 73 63 72 69 70 74 20 2f 70 72 6f 78 79 2e 70 68 70 3f 20 75 72 6c 3d 20 2f 70 72 6f 78 79 2e 70 68 70 3f 75 72 6c 3d 3c --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=http:/"; |---------------------| Building Rule: 2009754 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2009755 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2009756 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=http:/"; |---------------------| Building Rule: 2009757 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=http:/"; |---------------------| Building Rule: 2009758 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=http:/"; |---------------------| Building Rule: 2009759 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2009760 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007223 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007224 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007225 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007226 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007227 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007228 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007229 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007230 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007231 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007232 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007233 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007234 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007235 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007236 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007237 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007238 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007239 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007240 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007241 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007242 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007243 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007244 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007245 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007246 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007247 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007248 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007249 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007250 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007251 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007252 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007253 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007254 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007255 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007256 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007257 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007258 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007259 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007260 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007261 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007262 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007263 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007264 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007265 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2007266 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007267 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007268 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007269 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007270 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007271 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007272 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007273 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007274 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007275 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007276 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007277 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007278 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007279 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007280 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007281 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007282 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004566 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004567 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004568 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008866 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004591 -------- Hex Payload Start ---------- 20 71 75 65 72 79 3d 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004875 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004876 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004877 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004878 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004879 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004880 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006504 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006505 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006506 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006507 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006508 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006509 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004635 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004636 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004637 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004638 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004639 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004640 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src) uricontent:"onmouse"; |---------------------| Building Rule: 2010988 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009787 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- (script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"script"; |---------------------| Building Rule: 2010200 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"script"; |---------------------| Building Rule: 2011019 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- sections_file=\s*(ftps?|https?|php)\:\/ uricontent:"sections_file=ftp:/"; |---------------------| Building Rule: 2009166 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004705 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004706 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004707 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004708 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004709 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004710 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004711 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004712 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004713 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004714 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004715 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004716 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011152 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007336 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007337 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007338 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007339 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007340 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007341 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006303 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006304 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006305 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006306 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006307 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006308 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004809 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004810 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004811 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004812 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004813 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004815 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005841 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005842 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005843 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005844 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005845 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005846 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005847 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005848 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005849 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005850 -------- Hex Payload Start ---------- 20 67 69 64 3d 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005851 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005852 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005853 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005854 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005855 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005856 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005857 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005858 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- footer_file=\s*(ftps?|https?|php)\:\/ uricontent:"footer_file=ftp:/"; |---------------------| Building Rule: 2009793 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003752 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003753 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003754 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003755 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003756 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003757 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005859 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005860 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005861 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005862 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005863 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005864 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011113 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004035 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004036 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004037 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004038 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004039 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004040 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- template=[./] uricontent:"template=."; |---------------------| Building Rule: 2002668 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- template=[./] uricontent:"template=."; |---------------------| Building Rule: 2003152 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009764 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- id=-?\d+\s+UNION\s uricontent:"id=0%20UNION%20"; |---------------------| Building Rule: 2002678 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (LogFile|ClearLogFile|SaveToFile) content:"LogFile"; |---------------------| Building Rule: 2008789 -------- Hex Payload Start ---------- 43 4c 53 49 44 20 37 36 30 30 37 30 37 42 2d 39 46 34 37 2d 34 31 36 44 2d 38 41 42 35 2d 36 46 44 39 36 45 41 33 37 39 36 38 20 4c 6f 67 46 69 6c 65 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010271 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010272 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010273 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010274 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010275 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004083 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004084 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004085 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004086 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004087 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004088 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004456 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004457 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004458 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004459 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004460 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004461 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004584 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004585 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010025 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SECURITY_FILE=\s*(https?|ftps?|php)\:\/ uricontent:"SECURITY_FILE=http:/"; |---------------------| Building Rule: 2010027 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004683 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004684 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004685 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004686 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004687 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004688 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006081 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006082 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006083 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006084 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006085 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006086 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006087 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006088 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006089 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006090 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006091 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006092 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006093 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006094 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006095 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006096 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006097 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006098 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006099 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006100 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006101 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006102 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006103 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006104 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006105 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006106 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006107 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006108 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006109 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006110 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006111 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006112 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006113 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006114 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006115 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006116 -------- Hex Payload Start ---------- 20 73 65 6e 74 3d 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006117 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006118 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006119 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006120 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006121 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006122 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009739 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005895 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005896 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005897 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005898 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005899 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005900 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010259 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2003920 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2003921 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- lgsl_path=\s*(ftps?|https?|php)\:\/ uricontent:"lgsl_path=ftp:/"; |---------------------| Building Rule: 2011099 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- lgsl_path=\s*(ftps?|https?|php)\:\/ uricontent:"lgsl_path=ftp:/"; |---------------------| Building Rule: 2011100 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- dle_config_api\s*=\s*(https?|ftps?|php)\:\/ uricontent:"dle_config_api=http:/"; |---------------------| Building Rule: 2010252 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009319 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008838 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009368 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009323 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009324 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004834 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004835 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004836 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004837 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004839 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- app_path=\s*(https?|ftps?|php)\:\/ uricontent:"app_path=http:/"; |---------------------| Building Rule: 2009317 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- app_path=\s*(https?|ftps?|php)\:\/ uricontent:"app_path=http:/"; |---------------------| Building Rule: 2009318 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008830 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008831 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008834 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005591 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005592 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005593 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005594 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005595 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005596 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004595 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004596 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005835 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005836 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005837 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005838 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005839 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005840 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008790 -------- Hex Payload Start ---------- 43 4c 53 49 44 34 41 34 36 42 38 43 44 2d 46 37 42 44 2d 31 31 44 34 2d 42 31 44 38 2d 30 30 30 31 30 32 32 39 30 45 37 43 30 78 34 30 30 30 30 30 20 49 6d 61 67 65 55 52 4c --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010195 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- (modname=meta_certificate|modname=certificate|modname=link).+UPTDATE.+SET uricontent:"modname=meta_certificate0UPTDATE0SET"; |---------------------| Building Rule: 2010073 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- (modname=meta_certificate|modname=certificate|modname=link).+UNION.+SELECT uricontent:"modname=meta_certificate0UNION0SELECT"; |---------------------| Building Rule: 2010074 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- (modname=meta_certificate|modname=certificate|modname=link).+SELECT.+FROM uricontent:"modname=meta_certificate0SELECT0FROM"; |---------------------| Building Rule: 2010075 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- (modname=meta_certificate|modname=certificate|modname=link).+DELETE.+FROM uricontent:"modname=meta_certificate0DELETE0FROM"; |---------------------| Building Rule: 2010076 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- modname=(?:(?:meta_)?certificate|link).+?\bINSERT\b.*?INTO\b uricontent:"modname=0INSERTINTO"; |---------------------| Building Rule: 2010077 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- modname=(?:(?:meta_)?certificate|link).+?\bUPDATE\b.*?SET\b uricontent:"modname=0UPDATESET"; |---------------------| Building Rule: 2010078 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009876 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009795 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004047 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004048 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004049 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004050 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004051 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004052 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004065 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004066 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004067 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004068 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004069 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004070 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004593 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006141 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006142 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006143 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006144 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006145 -------- Hex Payload Start ---------- 20 49 44 3d 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006146 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- root=\s*(https?|ftps?|php)\:\/ uricontent:"root=http:/"; |---------------------| Building Rule: 2009848 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- smarty\s*=\s*(https?|ftps?|php)\:\/ uricontent:"smarty=http:/"; |---------------------| Building Rule: 2010707 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- smarty\s*=\s*(https?|ftps?|php)\:\/ uricontent:"smarty=http:/"; |---------------------| Building Rule: 2010708 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- _compile_file\s*=\s*(https?|ftps?|php)\:\/ uricontent:"_compile_file=http:/"; |---------------------| Building Rule: 2010709 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004385 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004386 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004387 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004388 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004389 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004390 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006687 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006688 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006689 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006690 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006691 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006692 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006694 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006695 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006696 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006697 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006698 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006699 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006700 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006701 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006702 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006703 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006704 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006705 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006706 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006707 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006708 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006709 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006710 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006711 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006712 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006713 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006714 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006715 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006716 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006717 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- =\s*(https?|ftps|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003679 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003680 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003770 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003771 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003772 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003773 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003774 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003775 -------- Hex Payload Start ---------- 20 20 55 50 44 41 54 45 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003682 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008684 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009716 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2003876 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2003877 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004624 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004625 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004626 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004627 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004628 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004629 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- tpl_base_dir=\s*(ftps?|https?|php)\:\/ uricontent:"tpl_base_dir=ftp:/"; |---------------------| Building Rule: 2011725 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005268 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005269 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005270 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005271 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005272 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005273 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005274 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005275 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005276 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005277 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005278 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005279 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008883 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008884 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008885 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- (AddAttachment|SubmitToExpress) content:"AddAttachment"; |---------------------| Building Rule: 2010657 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 45 61 73 79 4d 61 69 6c 2e 53 4d 54 50 2e 36 20 41 64 64 41 74 74 61 63 68 6d 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010658 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 45 61 73 79 4d 61 69 6c 2e 49 4d 41 50 34 2e 36 20 4c 69 63 65 6e 73 65 4b 65 79 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005039 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005040 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005041 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005042 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005043 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005045 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005044 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005046 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005047 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005048 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005049 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005050 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005051 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005052 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005053 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005054 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005055 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005056 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006554 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006555 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006556 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006557 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006558 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006559 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009366 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009117 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005087 -------- Hex Payload Start ---------- 20 20 53 45 4c 45 43 54 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005088 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005089 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005090 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005091 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005092 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005111 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005112 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005113 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005114 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005115 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005116 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005985 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005986 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005987 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005988 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005989 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005990 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005991 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005992 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005993 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005994 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005995 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005996 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005997 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005998 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005999 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006000 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006001 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006002 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006159 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006160 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006161 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006162 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006163 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006164 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011153 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011154 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006449 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006450 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006451 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006452 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006453 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006454 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006135 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006136 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006137 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006138 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006139 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006140 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006147 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006148 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006149 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006150 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006151 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006152 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006153 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006154 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006155 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006156 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006157 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006158 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007042 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007043 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007044 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007045 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007046 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007047 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007048 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007059 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007050 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007051 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007052 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007053 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007054 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007055 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007056 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007057 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007058 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007049 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007030 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007031 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007032 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007033 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007034 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007035 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007036 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007037 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007038 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007039 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007040 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007041 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007076 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007077 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007078 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007079 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007080 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007081 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007082 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007083 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007084 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007085 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007086 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007087 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007088 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007089 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007090 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007091 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007092 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007093 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007094 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007095 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007096 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007097 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007098 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007099 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007100 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007101 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007102 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007103 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007104 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007105 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007106 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007107 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007108 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007109 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007110 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007111 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007112 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007113 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007114 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007115 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007116 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007117 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007118 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007119 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007120 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007121 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007122 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007123 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007124 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007125 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007126 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007127 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007128 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007129 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007130 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007131 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007132 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007133 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007134 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007135 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007136 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007137 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007138 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007139 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007140 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007141 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005256 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005257 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005258 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005259 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005260 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005261 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005262 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005263 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005264 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005265 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005266 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005267 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008832 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- path=\s*(ftps?|https?|php)\:\/ uricontent:"path=ftp:/"; |---------------------| Building Rule: 2008833 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006219 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006220 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006221 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006222 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006223 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006224 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005877 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005878 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005879 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005880 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005881 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005882 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008998 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005336 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005337 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005338 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005339 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005340 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005341 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007060 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007061 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007062 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007063 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007064 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007065 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009428 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005081 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005082 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005083 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005084 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005085 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005086 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008931 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006813 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006814 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006815 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006816 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006817 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006818 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006339 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006340 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006341 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006342 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006343 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006344 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005615 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005616 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005617 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005618 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005619 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005620 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c] uricontent:"?GLOBALS[nlang]=/"; |---------------------| Building Rule: 2010543 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- (\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c] uricontent:"?GLOBALS[nlang]=/"; |---------------------| Building Rule: 2010544 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010800 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2010801 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2010802 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2010803 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2010804 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003846 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003847 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003848 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003849 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003850 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003851 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\/ uricontent:"FSPHP_LIB=http:/"; |---------------------| Building Rule: 2010359 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\/ uricontent:"FSPHP_LIB=http:/"; |---------------------| Building Rule: 2010360 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\/ uricontent:"FSPHP_LIB=http:/"; |---------------------| Building Rule: 2010361 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006123 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006124 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006125 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006126 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006127 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006128 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- dir\[classes\]=\s*(https?|ftps?|php)\:\/ uricontent:"dir[classes]=http:/"; |---------------------| Building Rule: 2009506 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009507 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006327 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006328 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006329 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006330 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006331 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006332 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- kal_class_path=\s*(ftps?|https?|php)\:\/ uricontent:"kal_class_path=ftp:/"; |---------------------| Building Rule: 2011096 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- kal_class_path=\s*(ftps?|https?|php)\:\/ uricontent:"kal_class_path=ftp:/"; |---------------------| Building Rule: 2011097 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003788 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003789 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003790 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003791 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003792 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003793 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006898 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006899 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006900 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006901 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006902 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006903 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006904 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006905 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006906 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006907 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006908 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006909 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"edit=0script"; |---------------------| Building Rule: 2011256 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"edit=0script"; |---------------------| Building Rule: 2011257 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"site_id=0script"; |---------------------| Building Rule: 2011258 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003690 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007182 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007183 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007184 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007185 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007186 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007187 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007188 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007189 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007190 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007191 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007192 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007193 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007194 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007195 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007196 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007197 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007198 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007199 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009849 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009850 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009851 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009852 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009853 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009854 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009855 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009856 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003823 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003824 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003825 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003826 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003827 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003828 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009745 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- BASE_DIR\[jax_formmailer\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"BASE_DIR[jax_formmailer]=http:/"; |---------------------| Building Rule: 2010484 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005176 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005147 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005148 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005149 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005150 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005151 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009103 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008878 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- API_HOME_DIR=\s*(ftps?|https?|php)\:\/ uricontent:"API_HOME_DIR=ftp:/"; |---------------------| Building Rule: 2008879 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009652 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009935 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004917 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004918 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004919 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004920 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004921 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004923 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005075 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005076 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005077 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005078 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005079 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005080 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005372 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005373 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005374 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005375 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005376 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005377 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006461 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006462 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006463 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006464 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006465 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006466 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006467 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006468 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006469 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006470 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006471 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006472 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006189 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006190 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006191 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006192 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006193 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006194 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006195 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006196 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006197 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006198 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006199 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006200 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006201 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006202 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006203 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006204 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006205 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006206 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005330 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005331 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005332 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005333 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005334 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005335 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- abspath=\s*(ftps?|https?|php)\:\/ uricontent:"abspath=ftp:/"; |---------------------| Building Rule: 2009163 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009394 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004586 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- CFG\[PREPEND_FILE\]=\s*(ftps?|https?|php)\:\/ uricontent:"CFG[PREPEND_FILE]=ftp:/"; |---------------------| Building Rule: 2010096 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009791 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004563 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004564 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004565 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- galid=-?\d+ uricontent:"galid=0%20"; |---------------------| Building Rule: 2002671 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ADODB_LANG\s*=\s*(https?|ftps?|php)\:\/ uricontent:"ADODB_LANG=http:/"; |---------------------| Building Rule: 2011018 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[gfwroot\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[gfwroot]=ftp:/"; |---------------------| Building Rule: 2011116 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003999 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004000 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004001 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004002 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004003 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004004 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004397 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004398 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004399 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004400 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004401 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004402 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- _CONF\[.*\]=(data|https?|ftps?|php)\:\/ uricontent:"_CONF[]=data:/"; |---------------------| Building Rule: 2002996 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005009 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005010 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005011 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005012 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005013 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005014 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003866 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003841 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003842 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003843 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003844 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003845 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004562 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- root_path=\s*(ftps?|https?|php)\:\/ uricontent:"root_path=ftp:/"; |---------------------| Building Rule: 2003333 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- cur_module=\s*(https?|ftps?|php)\:\/ uricontent:"cur_module=http:/"; |---------------------| Building Rule: 2009733 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- proxystylesheet=\s*(https?|ftps?|php) uricontent:"proxystylesheet=http"; |---------------------| Building Rule: 2002849 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- location=\s*(https?|ftps?|php)\:\/ uricontent:"location=http:/"; |---------------------| Building Rule: 2009427 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008937 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004349 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004350 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004351 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004352 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004353 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004354 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004355 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004356 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004357 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004358 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004359 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004360 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004361 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004362 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004363 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004364 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004365 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004366 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004367 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004368 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004369 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004370 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004371 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004372 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011262 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011263 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011264 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011265 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011266 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009674 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005222 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005223 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005224 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005225 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005311 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005226 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007404 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007405 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007406 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007407 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007408 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007409 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007410 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007411 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007412 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007413 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007414 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007415 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004554 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004555 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004560 -------- Hex Payload Start ---------- 20 3c 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004561 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid ICount Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"ICount="; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-085/; reference:cve,2010-1554; reference:url,doc.emergingthreats.net/2011196; classtype:web-application-attack; sid:2011196; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid MaxAge Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"MaxAge="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-084/; reference:cve,2010-1553; reference:url,doc.emergingthreats.net/2011197; classtype:web-application-attack; sid:2011197; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid Hostname Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"Hostname="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-086/; reference:cve,2010-1555; reference:url,doc.emergingthreats.net/2011198; classtype:web-application-attack; sid:2011198; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported servercert\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"servercert=0script"; |---------------------| Building Rule: 2010770 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009878 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004421 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004422 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004423 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004424 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004425 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004426 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009231 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- c_temp_path=\s*(https?|ftps?|php)\:\/ uricontent:"c_temp_path=http:/"; |---------------------| Building Rule: 2009232 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- c_temp_path=\s*(https?|ftps?|php)\:\/ uricontent:"c_temp_path=http:/"; |---------------------| Building Rule: 2009233 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- (\?|&)article_id=[^\x26\x3B]*[^\d\x2D] uricontent:"?article_id=#"; |---------------------| Building Rule: 2010609 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- _settings\[pluginpath\]=\s*(https?|ftps?|php)\:\/ uricontent:"_settings[pluginpath]=http:/"; |---------------------| Building Rule: 2009398 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- module=[^\;]*\;.*\" uricontent:"module=;""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit"; flow:established,to_server; content:"/services/help/"; nocase; http_uri; uricontent:"module=;""; reference:url,www.exploit-db.com/exploits/1660; reference:cve,2006-1491; reference:bugtraq,17292; classtype:web-application-attack; sid:2002867; rev:12;) Parser failed - skipping rule |---------------------| Building Rule: 2002868 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/horde/README"; |---------------------| Building Rule: 2002897 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B] uricontent:"colorpicker.php?form=>"; |---------------------| Building Rule: 2009494 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27] uricontent:"test.php?ext=>"; |---------------------| Building Rule: 2009495 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22 uricontent:"passwd/main.php?backend=""; |---------------------| Building Rule: 2009496 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B] uricontent:"colorpicker.php?form=>"; |---------------------| Building Rule: 2009497 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27] uricontent:"test.php?ext=>"; |---------------------| Building Rule: 2009498 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22 uricontent:"passwd/main.php?backend=""; |---------------------| Building Rule: 2009499 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- config\[incdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[incdir]=ftp:/"; |---------------------| Building Rule: 2011161 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009647 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009650 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005179 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004630 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004631 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004632 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004633 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004634 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005063 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005064 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005065 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005066 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005067 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005068 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"script"; |---------------------| Building Rule: 2010145 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- searchWord\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"searchWord=script"; |---------------------| Building Rule: 2010181 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- maxHits\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"maxHits=script"; |---------------------| Building Rule: 2010182 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- scopedSearch\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"scopedSearch=script"; |---------------------| Building Rule: 2010183 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- scope\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"scope=script"; |---------------------| Building Rule: 2010184 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- BaseTarget\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"BaseTarget=0script"; |---------------------| Building Rule: 2010865 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2010980 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"INDEX=0script"; |---------------------| Building Rule: 2011190 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- domain\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"domain=0script"; |---------------------| Building Rule: 2011191 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"slot=0script"; |---------------------| Building Rule: 2011192 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"slot=0script"; |---------------------| Building Rule: 2011193 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- WEBINDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"WEBINDEX=0script"; |---------------------| Building Rule: 2011194 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SLOT\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"SLOT=0script"; |---------------------| Building Rule: 2011195 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- phpbb_root_path=\s*(ftps?|https?|php)\:\/ uricontent:"phpbb_root_path=ftp:/"; |---------------------| Building Rule: 2008964 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- phpbb_root_path=\s*(ftps?|https?|php)\:\/ uricontent:"phpbb_root_path=ftp:/"; |---------------------| Building Rule: 2008965 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005639 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005640 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005641 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005642 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005643 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005644 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005645 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005646 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005647 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005648 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005649 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005650 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005651 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005652 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005653 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005654 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005655 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005656 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006862 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006863 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006864 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006865 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006866 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006867 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006868 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006869 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006870 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006871 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006872 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006873 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006874 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006875 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006876 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006877 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006878 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006879 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- CONFIG\[LANGUAGE_CPATH\]=\s*(https?|ftps?|php)\:\/ uricontent:"CONFIG[LANGUAGE_CPATH]=http:/"; |---------------------| Building Rule: 2009381 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- CONFIG\[BASE_PATH\]=\s*(https?|ftps?|php)\:\/ uricontent:"CONFIG[BASE_PATH]=http:/"; |---------------------| Building Rule: 2009386 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004576 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004577 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004578 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004579 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004580 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004581 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004797 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004798 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004799 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004800 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004801 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004802 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006669 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006670 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006671 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006672 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006673 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006674 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006675 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006676 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006677 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006678 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006679 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006680 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006681 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006682 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006683 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006684 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006685 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006686 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006207 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006208 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006209 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006210 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006211 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006212 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011140 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005342 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005343 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005344 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005345 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005346 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005347 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005360 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005361 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005362 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005363 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005364 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005365 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004152 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004153 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004154 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004155 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004156 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004157 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004337 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004338 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004339 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004340 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004341 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004342 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004480 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004481 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004482 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004483 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004484 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004485 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004486 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004487 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004488 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004489 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004490 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004491 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006492 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006493 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006494 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006495 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006496 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006497 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006498 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006499 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006500 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006501 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006502 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006503 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011696 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011697 -------- Hex Payload Start ---------- 2f 48 74 6d 6c 41 64 61 70 74 6f 72 20 61 63 74 69 6f 6e 3d 69 6e 76 6f 6b 65 4f 70 42 79 4e 61 6d 65 20 44 65 70 6c 6f 79 6d 65 6e 74 46 69 6c 65 52 65 70 6f 73 69 74 6f 72 79 20 6d 65 74 68 6f 64 4e 61 6d 65 3d 2e 77 61 72 2e 6a 73 70 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670 content:"<OBJECT classid=clsid:952E3F80-0C34-48CD-829B-A45913B29670"; |---------------------| Building Rule: 2010976 -------- Hex Payload Start ---------- 63 6c 73 69 64 39 35 32 45 33 46 38 30 2d 30 43 33 34 2d 34 38 43 44 2d 38 32 39 42 2d 41 34 35 39 31 33 42 32 39 36 37 30 69 73 52 65 67 69 73 74 65 72 65 64 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 39 35 32 45 33 46 38 30 2d 30 43 33 34 2d 34 38 43 44 2d 38 32 39 42 2d 41 34 35 39 31 33 42 32 39 36 37 30 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004077 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004078 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004079 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004080 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004081 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004082 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004147 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004592 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004666 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004667 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004668 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004669 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004670 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004671 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003939 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003940 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003941 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003942 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003943 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003944 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003945 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003946 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003947 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003948 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003949 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003950 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003951 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003952 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003953 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003954 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003955 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003956 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003957 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003958 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003959 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003960 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003961 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003962 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003963 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003964 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003965 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003966 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003967 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003968 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003969 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003970 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003971 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003972 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003973 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003974 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- script>?.*<.+\/script>? uricontent:"script<0/script"; |---------------------| Building Rule: 2004572 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009118 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009119 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007344 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007345 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007346 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007347 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007348 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007349 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007350 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007351 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007352 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007353 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007354 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007355 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007356 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007357 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007358 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007359 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007360 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007361 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009508 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009509 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009730 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004373 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004374 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004375 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004376 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004377 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004378 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003758 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003759 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003760 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003761 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003762 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003763 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005292 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005293 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005294 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005295 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005296 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005297 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005298 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005299 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005300 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005301 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005302 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005303 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005390 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005391 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005802 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005392 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005394 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005395 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005396 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005397 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005398 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005399 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005400 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005401 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005402 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005403 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005404 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005405 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005406 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005407 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005408 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005409 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005410 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005411 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005412 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005413 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005414 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005415 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005416 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005417 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005418 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005419 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005420 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005421 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005422 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005423 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005424 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005425 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005426 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005427 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005428 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005429 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005430 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005431 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005432 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005433 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005434 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005435 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005436 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005437 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005438 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005439 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005440 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005441 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005442 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005443 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005444 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005445 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005446 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005447 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005448 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005449 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005450 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005451 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005452 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005453 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005454 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005455 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008685 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- (\.\.\/){1} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008822 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- mosConfig_live_site=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_live_site=http:/"; |---------------------| Building Rule: 2009369 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009778 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009779 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009780 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009834 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2009835 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2009836 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009881 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2009913 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2009914 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2009915 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009916 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2009917 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2009919 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2009920 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009921 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2009924 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2009922 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009929 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A) uricontent:".php?=http:"; |---------------------| Building Rule: 2009933 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009934 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2009938 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2009939 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009940 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2009941 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2009942 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2009943 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2009944 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009945 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2009946 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2009947 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2009956 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2009957 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009958 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2009959 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2009960 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2009961 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2009962 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009963 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2009964 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2009965 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010014 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010015 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010016 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010017 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010018 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010040 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010041 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010042 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010043 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010044 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010045 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010046 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010047 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010048 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=http:/"; |---------------------| Building Rule: 2010260 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010349 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010350 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010351 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010352 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010353 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=http:/"; |---------------------| Building Rule: 2010474 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010476 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010477 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010478 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010479 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010480 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- user_id=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"user_id=%20"; |---------------------| Building Rule: 2010528 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- newsid=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"newsid=%20"; |---------------------| Building Rule: 2010529 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?Itemid=%20"; |---------------------| Building Rule: 2010535 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- (\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?id=%20"; |---------------------| Building Rule: 2010536 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- (\?|&)eid=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?eid=%20"; |---------------------| Building Rule: 2010537 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?Itemid=%20"; |---------------------| Building Rule: 2010538 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (\?|&)pid=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?pid=%20"; |---------------------| Building Rule: 2010539 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?Itemid=%20"; |---------------------| Building Rule: 2010540 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?id=%20"; |---------------------| Building Rule: 2010541 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (\?|&)secid=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?secid=%20"; |---------------------| Building Rule: 2010542 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010555 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010556 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010557 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010558 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010559 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- (\?|&)catID=[^\x26\x3B]*[^\d\x2D] uricontent:"?catID=#"; |---------------------| Building Rule: 2010606 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2010620 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010636 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010637 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010638 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010639 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010640 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2010659 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2010660 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010710 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010711 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010712 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010713 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010714 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010750 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010751 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010752 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010753 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010754 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010780 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010805 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010806 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010807 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010808 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010809 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010833 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010843 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010844 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010845 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010846 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010842 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- user_id\s*=\s*(https?|ftps?|php)\:\/ uricontent:"user_id=http:/"; |---------------------| Building Rule: 2010848 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010853 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010854 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010855 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010856 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010857 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010924 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010925 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010926 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010927 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010928 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010947 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010948 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010949 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010950 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010951 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010942 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2010989 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010990 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010991 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010992 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010993 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010994 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010981 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010982 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010983 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010984 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010985 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010996 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011001 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011002 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011003 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011004 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011005 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011022 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011023 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011024 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011025 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011026 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2011017 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011067 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011077 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011078 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011079 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011080 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011081 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2011131 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2011132 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009383 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=ftp:/"; |---------------------| Building Rule: 2009384 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2009391 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006760 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006761 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006762 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006763 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006764 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006765 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006766 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006767 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006768 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006769 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006770 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006771 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006772 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006773 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006774 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006775 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006776 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006777 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DOCUMENT_ROOT\s*=\s*(https?|ftps?|php)\:\/ uricontent:"DOCUMENT_ROOT=http:/"; |---------------------| Building Rule: 2010475 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009198 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009658 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004641 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004642 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004643 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004644 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004645 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004646 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004122 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004123 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004124 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004125 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004126 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004127 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003913 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- CONFIG\[AdminPath\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"CONFIG[AdminPath]=http:/"; |---------------------| Building Rule: 2010197 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004979 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004980 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004981 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004982 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004983 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004984 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005796 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005797 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005798 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005799 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005800 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005801 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004689 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004690 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004691 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004692 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004693 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004694 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005069 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005070 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005071 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005072 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005073 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005074 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005973 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005974 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005975 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005976 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005977 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005978 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006315 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006316 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006317 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006318 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006319 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006320 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004523 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004524 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004525 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004526 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004527 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004528 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009761 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- =\s*(https?|ftps|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003716 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007294 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007295 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007296 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007297 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007298 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007299 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007300 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007301 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007302 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007303 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007304 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007305 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007306 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007307 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007308 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007309 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007310 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007311 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007312 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007313 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007314 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007315 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007316 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007317 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007318 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007319 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007320 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007321 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007322 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007323 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007324 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007325 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007326 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007327 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007328 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007329 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007330 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007331 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007332 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007333 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007334 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007335 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010023 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- cwd=\s*(https?|ftps?|php)\:\/ uricontent:"cwd=http:/"; |---------------------| Building Rule: 2010024 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006657 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006658 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006659 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006660 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006661 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006662 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006663 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006664 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006665 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006666 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006667 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006668 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007362 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007364 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007363 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007365 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007366 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007367 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007368 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007369 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007370 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007371 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007372 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007373 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004409 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004410 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004411 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004412 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004413 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004414 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- cfile\s*=\s*(https?|ftps?|php)\:\/ uricontent:"cfile=http:/"; |---------------------| Building Rule: 2011000 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008927 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006473 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006474 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006475 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006476 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006477 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006478 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005829 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005830 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005831 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005832 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005833 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005834 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \.php(\?|.*\x26)pathToIndex=(https?|ftps?)\:\/\/[^\x26\x3B]+\?\? uricontent:".php?pathToIndex=http://#??"; |---------------------| Building Rule: 2010530 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006321 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006322 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006323 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006324 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006325 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006326 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- name=.+(IMG|SCRIPT|SRC|onkey|onmouse|onload) uricontent:"name=0IMG"; |---------------------| Building Rule: 2009990 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004961 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004962 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004963 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004964 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004965 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004966 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004967 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004968 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004969 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004970 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004971 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004972 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005135 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005136 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005137 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005138 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005139 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005140 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005511 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005512 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005514 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005515 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005516 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005517 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006225 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006226 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006227 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006228 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006229 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006230 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006231 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006232 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006233 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006234 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006235 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006236 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006237 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006238 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006239 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006240 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006241 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006242 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006243 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006244 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006245 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006246 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006247 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006248 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003918 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003919 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- reflect_base=\s*(ftps?|https?|php)\:\/ uricontent:"reflect_base=ftp:/"; |---------------------| Building Rule: 2008897 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008898 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- determined_format\[include\]=\s*(ftps?|https?|php)\:\/ uricontent:"determined_format[include]=ftp:/"; |---------------------| Building Rule: 2011062 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- determined_format\[include\]=\s*(ftps?|https?|php)\:\/ uricontent:"determined_format[include]=ftp:/"; |---------------------| Building Rule: 2011063 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003882 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003883 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003884 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=(https?|ftps?|php)\:\/ uricontent:"mosConfig_absolute_path=http:/"; |---------------------| Building Rule: 2002681 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003987 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003988 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003989 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003990 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003991 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003992 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004427 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004428 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004429 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004430 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004431 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004432 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004433 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004434 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004435 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004436 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004437 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004438 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004766 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004767 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004768 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004769 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004770 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004771 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009937 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- =\s*(https|ftps|php|http|ftp)\x3A\x2F uricontent:"=https:/"; |---------------------| Building Rule: 2010223 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\?|&)listing_id=[^\x26\x3B]*[^\d\x2D] uricontent:"?listing_id=#"; |---------------------| Building Rule: 2010605 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011091 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011092 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011093 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011094 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011095 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008837 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005141 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005142 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005143 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005144 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005145 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005146 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- fm_includes_special=\s*(ftps?|https?|php)\:\/ uricontent:"fm_includes_special=ftp:/"; |---------------------| Building Rule: 2011259 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009888 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009889 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009890 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009891 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011082 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011083 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004265 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004266 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004267 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004268 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004269 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004270 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004271 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004272 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004273 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004274 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004275 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004276 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004277 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004278 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004279 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004280 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004281 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004282 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004283 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004284 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004285 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004286 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004287 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004288 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004289 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004290 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004291 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004292 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004293 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004294 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004295 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004296 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004297 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004298 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004299 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004300 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004301 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004302 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004303 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004304 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004305 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004306 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- include_path=\s*(ftps?|https?|php)\:\/ uricontent:"include_path=ftp:/"; |---------------------| Building Rule: 2003331 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006345 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006346 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006347 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006348 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006349 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006350 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006795 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006796 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006797 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006798 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006799 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006800 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006801 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006802 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006803 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006804 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006805 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006806 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005603 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005604 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005605 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005606 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005607 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005608 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007006 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007007 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007008 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007009 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007010 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007011 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007012 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007013 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007014 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007015 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007016 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007017 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007018 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007019 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007020 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007021 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007022 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007023 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- minsoft_path=\s*(ftps?|https?|php)\:\/ uricontent:"minsoft_path=ftp:/"; |---------------------| Building Rule: 2009141 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- minsoft_path=\s*(ftps?|https?|php)\:\/ uricontent:"minsoft_path=ftp:/"; |---------------------| Building Rule: 2009142 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004164 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004165 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004166 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004167 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004168 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004169 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003717 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- customer_login.*\"> uricontent:"customer_login">"; |---------------------| Building Rule: 2002371 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DIR=\s*(ftps?|https?|php)\:\/ uricontent:"DIR=ftp:/"; |---------------------| Building Rule: 2008900 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- DIR=\s*(ftps?|https?|php)\:\/ uricontent:"DIR=ftp:/"; |---------------------| Building Rule: 2008901 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- DIR=\s*(ftps?|https?|php)\:\/ uricontent:"DIR=ftp:/"; |---------------------| Building Rule: 2008902 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- DIR=\s*(ftps?|https?|php)\:\/ uricontent:"DIR=ftp:/"; |---------------------| Building Rule: 2008903 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- DIR=\s*(ftps?|https?|php)\:\/ uricontent:"DIR=ftp:/"; |---------------------| Building Rule: 2008904 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009437 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009430 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005778 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005779 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005780 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005781 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005782 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005783 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008938 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008994 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2003835 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2003836 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2003837 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2003838 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2003839 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003840 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009330 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2010631 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008835 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008672 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006627 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006628 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006629 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006630 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006631 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006632 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004612 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004613 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004614 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004615 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004616 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004617 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004095 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004096 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004097 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004098 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004099 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004100 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004742 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2004743 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004744 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004745 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004746 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004747 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006880 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006881 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006882 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006883 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006884 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006885 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006736 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006737 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006738 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006739 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006740 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006741 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006742 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006743 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006744 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006745 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006746 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006747 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006748 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006749 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006750 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006751 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006752 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006753 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006754 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006755 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006756 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006757 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006758 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006759 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2007288 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2007289 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2007290 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2007291 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2007292 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2007293 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006547 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006548 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006549 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006550 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006551 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006552 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004158 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004159 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004160 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004161 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004162 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004163 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004936 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004937 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004938 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004939 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004940 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004941 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004942 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004943 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004945 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004946 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004947 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004948 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004949 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004950 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004951 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004952 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004953 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004954 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004955 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004956 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004957 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004958 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004959 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004960 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010028 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010122 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010123 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009905 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009431 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- newsoffice_directory=\s*(https?|ftps?|php)\:\/ uricontent:"newsoffice_directory=http:/"; |---------------------| Building Rule: 2009432 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- read_xml_include=\s*(https?|ftps?|php)\:\/ uricontent:"read_xml_include=http:/"; |---------------------| Building Rule: 2010099 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009335 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005675 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005676 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005677 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005678 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005679 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005680 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008921 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- root=\s*(ftps?|https?|php)\:\/ uricontent:"root=ftp:/"; |---------------------| Building Rule: 2008922 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003694 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003894 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003895 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003896 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005015 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005016 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005017 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005018 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005019 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005020 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009728 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- (script|img|src|onmouse|onkey|onload) uricontent:"script"; |---------------------| Building Rule: 2010031 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006591 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006592 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006593 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006594 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006595 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006596 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006597 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006598 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006599 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006600 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006601 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006602 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004307 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004308 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004309 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004310 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004311 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004312 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004736 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004737 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004738 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004739 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004740 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004741 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006807 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006808 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006809 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006810 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006811 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006812 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- chemin_lib\s*=\s*(https?|ftps?|php)\:\/ uricontent:"chemin_lib=http:/"; |---------------------| Building Rule: 2010355 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009332 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- CLASSES_ROOT=\s*(https?|ftps?|php)\:\/ uricontent:"CLASSES_ROOT=http:/"; |---------------------| Building Rule: 2009333 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/sem\/\w+\.php.*(\?|&)uniqueid=\d*\; uricontent:"/sem/A.php?uniqueid=;"; |---------------------| Building Rule: 2010510 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010652 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010653 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010654 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010655 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010656 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .*\[.*\].*\; uricontent:"[];"; |---------------------| Building Rule: 2002702 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003741 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003878 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Tipo=\s*(https?|ftps?|php)\:\/ uricontent:"Tipo=http:/"; |---------------------| Building Rule: 2009395 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009396 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005597 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005598 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005599 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005600 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005601 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005602 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004450 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004451 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004452 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004453 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004454 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004455 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009906 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005186 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004846 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004847 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004848 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004849 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004850 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- oe_classpath=\s*(ftps?|https?|php)\:\/ uricontent:"oe_classpath=ftp:/"; |---------------------| Building Rule: 2009164 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A) uricontent:".php?=http:"; |---------------------| Building Rule: 2009931 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- phpAds_geoPlugin=\s*(ftps?|https?|php)\:\/ uricontent:"phpAds_geoPlugin=ftp:/"; |---------------------| Building Rule: 2011274 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011108 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 70 6c 75 67 69 6e 73 2f 73 69 70 2f 73 69 70 61 72 6b 2d 6c 6f 67 2d 73 75 6d 6d 61 72 79 2e 6a 73 70 3f 20 74 79 70 65 3d 20 53 45 4c 45 43 54 20 46 52 4f 4d --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011109 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 70 6c 75 67 69 6e 73 2f 73 69 70 2f 73 69 70 61 72 6b 2d 6c 6f 67 2d 73 75 6d 6d 61 72 79 2e 6a 73 70 3f 20 74 79 70 65 3d 20 44 45 4c 45 54 45 20 46 52 4f 4d --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011110 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 70 6c 75 67 69 6e 73 2f 73 69 70 2f 73 69 70 61 72 6b 2d 6c 6f 67 2d 73 75 6d 6d 61 72 79 2e 6a 73 70 3f 20 74 79 70 65 3d 20 55 4e 49 4f 4e 20 53 45 4c 45 43 54 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011111 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 70 6c 75 67 69 6e 73 2f 73 69 70 2f 73 69 70 61 72 6b 2d 6c 6f 67 2d 73 75 6d 6d 61 72 79 2e 6a 73 70 3f 20 74 79 70 65 3d 20 49 4e 53 45 52 54 20 49 4e 54 4f --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011112 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 70 6c 75 67 69 6e 73 2f 73 69 70 2f 73 69 70 61 72 6b 2d 6c 6f 67 2d 73 75 6d 6d 61 72 79 2e 6a 73 70 3f 20 74 79 70 65 3d 20 55 50 44 41 54 45 20 53 45 54 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011057 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011058 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011059 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011060 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011061 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- context\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"context=0script"; |---------------------| Building Rule: 2011268 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[preloc]=http:/"; |---------------------| Building Rule: 2009459 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[preloc]=http:/"; |---------------------| Building Rule: 2009460 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009461 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009462 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009463 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009464 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005937 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005938 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005939 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005940 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005941 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005942 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005943 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005944 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005945 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005946 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005947 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005948 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009065 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009066 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009067 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004241 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004242 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004243 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004244 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004245 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004246 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009068 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009069 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006510 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006511 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006512 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006513 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006514 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006515 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006516 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006517 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006518 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006519 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006520 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006521 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006522 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006523 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006524 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006525 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006526 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006527 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006528 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006529 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006530 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006531 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006532 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006533 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006534 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006535 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006536 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006537 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006538 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006539 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006540 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006541 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006542 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006543 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006544 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006545 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- include_path=\s*(ftps?|https?|php)\:/ uricontent:"include_path=ftp:/"; |---------------------| Building Rule: 2009871 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- include_path=\s*(ftps?|https?|php)\:/ uricontent:"include_path=ftp:/"; |---------------------| Building Rule: 2009872 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- include_path=\s*(ftps?|https?|php)\:/ uricontent:"include_path=ftp:/"; |---------------------| Building Rule: 2009873 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- phpbb_root_path=(ftps?|https?|php) uricontent:"phpbb_root_path=ftp"; |---------------------| Building Rule: 2002731 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005967 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005968 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005969 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005970 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005971 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005972 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006969 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006970 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006971 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006972 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006973 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006974 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003879 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003880 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003742 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003743 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003744 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003745 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009743 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2004041 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2004042 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2004043 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2004044 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2004045 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2004046 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\/ uricontent:"text.ctrl.php?level=ftp:/"; |---------------------| Building Rule: 2003372 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003740 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DataDirectory=\s*(ftps?|https?|php)\:\/ uricontent:"DataDirectory=ftp:/"; |---------------------| Building Rule: 2010095 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003805 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003806 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003807 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003808 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003809 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003810 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003811 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003812 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003813 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003814 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003815 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003816 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003730 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004695 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004696 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004697 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004698 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004699 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004700 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005784 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005785 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005786 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005787 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005788 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005789 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003731 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003732 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003733 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009139 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008961 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- confdir=\s*(ftps?|https?|php)\:\/ uricontent:"confdir=ftp:/"; |---------------------| Building Rule: 2008962 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003703 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- PHPOF_INCLUDE_PATH=\s*(ftps?|https?|php)\:\/ uricontent:"PHPOF_INCLUDE_PATH=ftp:/"; |---------------------| Building Rule: 2009051 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (argv[1]=\|.+) content:"argv1=|0"; Parser failed - skipping rule UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009137 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003735 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008873 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008874 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004701 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004702 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005180 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004703 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004704 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005181 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008614 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2001197 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2001202 -------- Hex Payload Start ---------- 6e 61 6d 65 3d 20 55 4e 49 4f 4e 20 53 45 4c 45 43 54 --------- Hex Payload End ----------- <\s*SCRIPT\s*> uricontent:"<SCRIPT>"; |---------------------| Building Rule: 2001218 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004325 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004326 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004327 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004328 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004329 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004330 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004851 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004852 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004853 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004854 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004855 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004856 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005456 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005457 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005458 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005459 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005460 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005461 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005462 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005463 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005464 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005465 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005466 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005467 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005468 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005469 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005470 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005471 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005472 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005473 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005474 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005475 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005476 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005477 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005478 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005479 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005480 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005481 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005482 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005483 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005484 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005485 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005486 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005487 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005489 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005490 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005491 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005492 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005585 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005586 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005587 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005588 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005589 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005590 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006927 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006928 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006929 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006930 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006931 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006932 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006933 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006934 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006935 -------- Hex Payload Start ---------- 20 20 49 4e 53 45 52 54 --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006936 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006937 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006938 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007176 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007177 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007178 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007179 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007180 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007181 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\?|&)category_id=[^\s\x26\x3B\x2f]*[\s\x2f] uricontent:"?category_id=%20"; |---------------------| Building Rule: 2010553 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- file=\s*(ftps?|https?|php)\:\/ uricontent:"file=ftp:/"; |---------------------| Building Rule: 2002800 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011133 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011134 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011135 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011136 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011137 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011168 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011169 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011170 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011171 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011172 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008649 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009140 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003683 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005901 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005902 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005903 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005904 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005905 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005906 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005907 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005908 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005909 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005910 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005911 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005912 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005913 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005914 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005915 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005916 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005917 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005918 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005919 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005920 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005921 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005922 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005923 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005924 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- includedir=\s*(ftps?|https?|php)\:\/ uricontent:"includedir=ftp:/"; |---------------------| Building Rule: 2002898 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009390 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009892 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003693 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003672 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003673 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003674 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003675 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003676 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- GLOBALS\x5bFarmD\x5d\x3d content:"GLOBALS[FarmD]="; |---------------------| Building Rule: 2002837 -------- Hex Payload Start ---------- 47 4c 4f 42 41 4c 53 5b 46 61 72 6d 44 5d 3d 20 47 4c 4f 42 41 4c 53 5b 46 61 72 6d 44 5d 3d --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004606 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004607 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004608 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004609 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004610 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004611 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009073 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009074 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009075 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004930 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004931 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004932 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004933 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004934 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004935 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006730 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006731 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006732 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006733 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006734 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006735 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009168 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008930 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004259 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004260 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004261 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004262 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004263 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004264 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005216 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005217 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005218 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005219 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005220 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005221 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004582 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004618 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004619 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004620 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004621 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004622 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004623 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003660 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003661 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003662 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003663 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003664 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003665 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003666 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003667 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003668 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003681 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2004089 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2004090 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2004091 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2004092 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2004093 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2004094 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004924 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004925 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004926 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004927 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004928 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004929 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- PATH_TO_CODE=\s*(https?|ftps?|php)\:\/ uricontent:"PATH_TO_CODE=http:/"; |---------------------| Building Rule: 2009415 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- includepath=\s*(ftps?|https?|php)\:\/ uricontent:"includepath=ftp:/"; |---------------------| Building Rule: 2008871 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- lib=\s*(ftps?|https?|php)\:\/ uricontent:"lib=ftp:/"; |---------------------| Building Rule: 2008899 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008616 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2002331 -------- Hex Payload Start ---------- 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 5c 3a 20 42 61 73 69 63 20 63 47 6c 79 59 57 35 6f 59 54 70 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003691 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003702 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009056 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009055 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009936 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- _px_config\x5bmanager_path\x5d=(https?|ftps?|php)\: content:"_px_config[manager_path]=http:"; |---------------------| Building Rule: 2002815 -------- Hex Payload Start ---------- 5f 70 78 5f 63 6f 6e 66 69 67 5b 6d 61 6e 61 67 65 72 5f 70 61 74 68 5d 3d 20 5f 70 78 5f 63 6f 6e 66 69 67 5b 6d 61 6e 61 67 65 72 5f 70 61 74 68 5d 3d 68 74 74 70 3a --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003914 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- pcConfig\[smartyPath\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"pcConfig[smartyPath]=http:/"; |---------------------| Building Rule: 2010466 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004905 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004906 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004907 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004908 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004909 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004910 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- site_path=\s*(ftps?|https?|php)\:\/ uricontent:"site_path=ftp:/"; |---------------------| Building Rule: 2003371 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005621 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005622 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005623 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005624 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005625 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005626 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005627 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005628 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005629 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005630 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005631 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005632 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005633 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005634 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005635 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005636 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005637 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005638 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011117 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009057 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009659 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009660 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008786 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\?|&)id=[^\x26\x3B]*[^\d\x2D] uricontent:"?id=#"; |---------------------| Building Rule: 2010604 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- sourceFolder=\s*(ftps?|https?|php)\:/ uricontent:"sourceFolder=ftp:/"; |---------------------| Building Rule: 2009898 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008823 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006351 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006352 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006353 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006354 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006355 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006356 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- sPath\s*=\s*(https?|ftps?|php)\:\/ uricontent:"sPath=http:/"; |---------------------| Building Rule: 2010276 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009672 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009673 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009736 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009737 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008865 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004587 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2004588 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2004589 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2004590 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008880 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008881 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008882 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\/ uricontent:"CONFIG[gameroot]=ftp:/"; |---------------------| Building Rule: 2009502 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009503 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\/ uricontent:"CONFIG[gameroot]=ftp:/"; |---------------------| Building Rule: 2009504 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009505 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009746 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- qte_web_path=\s*(ftps?|https?|php)\:\/ uricontent:"qte_web_path=ftp:/"; |---------------------| Building Rule: 2009723 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009724 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010185 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010186 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010187 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010188 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010189 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004571 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010021 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- path=\s*(ftps?|https?|php)\:\/ uricontent:"path=ftp:/"; |---------------------| Building Rule: 2009788 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- config\[library_path\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[library_path]=ftp:/"; |---------------------| Building Rule: 2010097 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008924 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005681 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005682 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005683 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005684 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005685 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005686 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005021 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005022 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005023 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005024 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005025 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005026 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005027 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005028 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005029 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005030 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005031 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005032 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005093 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005094 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005095 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005096 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005097 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005098 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005099 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005100 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005101 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005102 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005103 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005104 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008615 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INC_DIR=\s*(ftps?|https?|php)\:\/ uricontent:"INC_DIR=ftp:/"; |---------------------| Building Rule: 2009101 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009049 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009050 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006939 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006940 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006941 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006942 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006943 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006944 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006945 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006946 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006947 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006948 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006949 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006950 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2009059 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2009060 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=ftp:/"; |---------------------| Building Rule: 2009061 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2009062 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=ftp:/"; |---------------------| Building Rule: 2009466 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\/ uricontent:"GLOBALS[mosConfig_absolute_path]=ftp:/"; |---------------------| Building Rule: 2009467 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2009468 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\/ uricontent:"REX[INCLUDE_PATH]=ftp:/"; |---------------------| Building Rule: 2011254 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\/ uricontent:"REX[INCLUDE_PATH]=ftp:/"; |---------------------| Building Rule: 2011255 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003872 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003873 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009011 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009012 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009513 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003829 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003830 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003831 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003832 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003833 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003834 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004600 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004601 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004602 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004603 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004604 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004605 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005687 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005688 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005689 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005690 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005691 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005692 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005693 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005694 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005695 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005696 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005697 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005698 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005699 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005700 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005701 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005702 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005703 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005704 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005705 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005706 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005707 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005708 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005709 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005710 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005711 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005712 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005713 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005714 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005715 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005716 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005717 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005718 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005719 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005720 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005721 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005722 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005723 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005724 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005725 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005726 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005727 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005728 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005729 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005730 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005731 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005732 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005733 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005734 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005735 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005736 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005738 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005739 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005740 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005741 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005742 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005743 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005744 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005745 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005746 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005747 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005748 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005749 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005750 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005751 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005752 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005753 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005754 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005755 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005756 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005757 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005758 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005759 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005760 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005761 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005762 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005763 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005764 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005765 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2009018 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004660 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004661 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004662 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004663 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004664 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004665 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003871 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011155 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011156 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011157 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011158 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011159 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- (\?|&)admin=[^\x26\x3B]*([\x2F\x5C\x00]|\x2E\x2E) uricontent:"?admin=/"; |---------------------| Building Rule: 2010610 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003817 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003818 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003819 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003820 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003821 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003822 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003858 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003859 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003860 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003861 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003862 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003863 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- _SERWEB\[configdir\]=\s*(https?|ftps?|php)\:\/ uricontent:"_SERWEB[configdir]=http:/"; |---------------------| Building Rule: 2010124 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- _SERWEB\[functionsdir\]=\s*(https?|ftps?|php)\:\/ uricontent:"_SERWEB[functionsdir]=http:/"; |---------------------| Building Rule: 2010125 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008815 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008816 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008793 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- _page_css=\s*(ftps?|https?|php)\:\/ uricontent:"_page_css=ftp:/"; |---------------------| Building Rule: 2009653 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- _page_javascript=\s*(ftps?|https?|php)\:\/ uricontent:"_page_javascript=ftp:/"; |---------------------| Building Rule: 2009654 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- _page_content=\s*(ftps?|https?|php)\:\/ uricontent:"_page_content=ftp:/"; |---------------------| Building Rule: 2009656 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011207 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 43 4c 53 49 44 30 32 39 37 44 32 34 41 2d 46 34 32 35 2d 34 37 45 45 2d 39 46 33 42 2d 41 34 35 39 42 43 45 35 39 33 45 33 20 48 65 61 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011208 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 58 48 54 54 50 2e 48 54 54 50 20 48 65 61 64 --------- Hex Payload End ----------- cs_base_path=\s*(ftps?|https?|php)\:\/ uricontent:"cs_base_path=ftp:/"; |---------------------| Building Rule: 2011209 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004463 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004464 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004465 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004466 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004467 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004468 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- class_path\s*=\s*(https?|ftps?|php)\:\/ uricontent:"class_path=http:/"; |---------------------| Building Rule: 2010922 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- class_path\s*=\s*(https?|ftps?|php)\:\/ uricontent:"class_path=http:/"; |---------------------| Building Rule: 2010923 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004493 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004494 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004495 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004496 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004497 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004498 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004499 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004500 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004501 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004502 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004503 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004504 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004505 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004506 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004507 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004508 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004509 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004510 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004511 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004512 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004513 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004514 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004515 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004516 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004517 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004518 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004519 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004520 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004521 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004522 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011726 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011727 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011728 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011729 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011730 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011731 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004116 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004117 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004118 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004119 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004120 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004121 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006309 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006310 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006311 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006312 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006313 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006314 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009727 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003922 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009048 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004415 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004416 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004417 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004418 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004419 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004420 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- IP=\s*(ftps?|https?|php)\:\/ uricontent:"IP=ftp:/"; |---------------------| Building Rule: 2009123 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010020 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008723 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005790 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005791 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005792 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005793 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005794 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005795 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008722 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003852 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003853 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003854 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003855 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003856 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003857 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003746 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- slogin_path=\s*(ftps?|https?|php)\:\/ uricontent:"slogin_path=ftp:/"; |---------------------| Building Rule: 2008996 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009000 -------- Hex Payload Start ---------- 47 45 54 20 20 70 69 64 3d --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004779 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004780 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004781 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004782 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004783 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004784 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004785 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004786 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004787 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004788 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004789 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004790 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005871 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005872 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005873 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005874 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005875 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005876 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- site_path\s*=\s*(https?|ftps?|php)\:\/ uricontent:"site_path=http:/"; |---------------------| Building Rule: 2010564 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009070 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- theme=\s*(ftps?|https?|php)\:\/ uricontent:"theme=ftp:/"; |---------------------| Building Rule: 2009071 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008867 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005518 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005519 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005520 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005521 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005522 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005523 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005524 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005525 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2005526 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005527 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005528 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005529 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005530 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005531 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005532 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005533 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005534 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005535 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005536 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005537 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005538 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005539 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005540 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005541 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005542 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005543 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005544 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005545 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005546 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005547 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005548 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005549 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005550 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005551 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005552 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005553 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005554 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005555 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005556 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005557 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005558 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005559 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005560 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005561 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005562 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005563 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005564 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005566 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- _SESSION\[SCRIPT_PATH\]=\s*(https?|ftps?|php)\x3a\/ uricontent:"_SESSION[SCRIPT_PATH]=http:/"; |---------------------| Building Rule: 2009179 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- g_pcltar_lib_dir=\s*(https?|ftps?|php)\:\/ uricontent:"g_pcltar_lib_dir=http:/"; |---------------------| Building Rule: 2009180 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009181 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009182 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004863 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004864 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004865 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004866 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004867 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004868 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009100 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (Buildpath|GetDriveName|DriveExists|DeleteFile) content:"Buildpath"; |---------------------| Building Rule: 2010745 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 53 6f 66 74 41 72 74 69 73 61 6e 73 2e 46 69 6c 65 4d 61 6e 61 67 65 72 2e 31 20 42 75 69 6c 64 70 61 74 68 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89 content:"<OBJECT classid=clsid:E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; |---------------------| Building Rule: 2010746 -------- Hex Payload Start ---------- 63 6c 73 69 64 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 20 42 75 69 6c 64 50 61 74 68 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89 content:"<OBJECT classid=clsid:E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; |---------------------| Building Rule: 2010747 -------- Hex Payload Start ---------- 63 6c 73 69 64 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 20 47 65 74 44 72 69 76 65 4e 61 6d 65 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89 content:"<OBJECT classid=clsid:E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; |---------------------| Building Rule: 2010748 -------- Hex Payload Start ---------- 63 6c 73 69 64 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 20 44 72 69 76 65 45 78 69 73 74 73 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89 content:"<OBJECT classid=clsid:E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; |---------------------| Building Rule: 2010749 -------- Hex Payload Start ---------- 63 6c 73 69 64 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 20 44 65 6c 65 74 65 46 69 6c 65 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 45 37 42 36 32 46 34 45 2d 38 32 46 34 2d 31 31 44 32 2d 42 44 34 31 2d 30 30 31 30 35 41 30 41 37 45 38 39 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*66757BFC-DA0C-41E6-B3FE-B6D461223FF5 content:"<OBJECT classid=clsid:66757BFC-DA0C-41E6-B3FE-B6D461223FF5"; |---------------------| Building Rule: 2010943 -------- Hex Payload Start ---------- 36 36 37 35 37 42 46 43 2d 44 41 30 43 2d 34 31 45 36 2d 42 33 46 45 2d 42 36 44 34 36 31 32 32 33 46 46 35 20 53 61 76 65 46 6f 72 6d 61 74 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 36 36 37 35 37 42 46 43 2d 44 41 30 43 2d 34 31 45 36 2d 42 33 46 45 2d 42 36 44 34 36 31 32 32 33 46 46 35 --------- Hex Payload End ----------- objects_path=\s*(ftps?|https?|php)\:\/ uricontent:"objects_path=ftp:/"; |---------------------| Building Rule: 2011051 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- objects_path=\s*(ftps?|https?|php)\:\/ uricontent:"objects_path=ftp:/"; |---------------------| Building Rule: 2011052 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006129 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006130 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006131 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006132 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006133 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006134 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006479 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006480 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006481 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006482 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006484 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006485 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003881 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004379 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004380 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004381 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004382 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004383 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004384 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/servlet\/dea\/register\?fwReg=[>\"] uricontent:"/servlet/dea/register?fwReg=>"; |---------------------| Building Rule: 2010509 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/sgms\/caption\.jsp\?.*scrn_name=.*[>\"] uricontent:"/sgms/caption.jsp?scrn_name=>"; |---------------------| Building Rule: 2010511 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- neededFiles\[patForms\]=\s*(ftps?|https?|php)\:\/ uricontent:"neededFiles[patForms]=ftp:/"; |---------------------| Building Rule: 2009144 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004816 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004817 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004818 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004819 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004820 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004821 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005152 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005153 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005155 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005154 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005156 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005157 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008932 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009744 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004822 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004823 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004824 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004825 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004826 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004827 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006633 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006634 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006635 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006636 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006637 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006638 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006639 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006640 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006641 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006642 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006643 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006644 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006645 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006646 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006647 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006648 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006649 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006650 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006651 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006652 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006653 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006654 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006655 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006656 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011065 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009138 -------- Hex Payload Start ---------- 63 6c 73 69 64 42 35 35 37 36 38 39 33 2d 46 39 34 38 2d 34 45 30 46 2d 39 42 45 31 2d 41 33 37 43 42 35 36 44 36 36 46 46 20 53 61 76 65 44 6f 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009145 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- shop_this_skin_path=\s*(https?|ftps?|php)\:\/ uricontent:"shop_this_skin_path=http:/"; |---------------------| Building Rule: 2009229 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009230 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010098 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003705 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003706 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003707 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003708 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003709 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003710 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003711 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003712 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003715 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003713 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003714 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2003867 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005567 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005568 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005569 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2005570 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005571 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005572 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006003 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006004 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006005 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006006 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006007 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006008 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006009 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006010 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006011 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006012 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006013 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006014 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006015 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006016 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006017 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006018 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006019 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006020 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006021 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006022 -------- Hex Payload Start ---------- 70 61 73 73 77 6f 72 64 4e 65 77 3d --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006023 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006024 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006025 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006026 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006027 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006028 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006029 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006030 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006031 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006032 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006033 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006034 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006035 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006036 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006037 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006038 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006039 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006040 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006041 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006042 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006043 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006044 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006045 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006046 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006047 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006048 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006049 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006050 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006051 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006052 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006053 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006054 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006055 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006056 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006057 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006058 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006059 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006060 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006061 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006062 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006063 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006064 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006065 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006066 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006067 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006068 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006069 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006070 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006071 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006072 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006073 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006074 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006075 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006076 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006077 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006078 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006079 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006080 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009169 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009789 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009199 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003902 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004575 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003669 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010026 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- inc_dir=\s*(https?|ftps?|php)\:\/ uricontent:"inc_dir=http:/"; |---------------------| Building Rule: 2009663 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009726 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009729 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008821 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004558 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003678 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008934 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003687 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003688 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003689 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003917 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008827 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008828 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008829 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004869 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004870 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004871 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004872 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004873 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004874 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003888 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003889 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003890 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003891 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003892 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003893 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- %INCLUDE\s*{.*rev=\"\d+\|.+\".*}\s*% content:"%INCLUDE{rev="0|0"}%"; Parser failed - skipping rule &TYPEOF\:.+system\s*\( uricontent:"&TYPEOF:0system("; |---------------------| Building Rule: 2003085 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004672 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004673 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004674 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004675 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004676 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004677 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004678 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005185 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004679 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004680 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004681 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004682 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005233 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005234 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005235 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005236 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005237 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005238 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006886 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006887 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006888 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006889 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006890 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006891 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006892 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006893 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006894 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006895 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006896 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006897 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005003 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005004 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005005 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005006 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005007 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005008 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007283 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007200 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007201 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007202 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007203 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007204 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007205 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007206 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007207 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007208 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007209 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007210 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008872 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- config\[include_dir\]=\s*(https?|ftps?|php)\:\/ uricontent:"config[include_dir]=http:/"; |---------------------| Building Rule: 2010126 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010127 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003692 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004573 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005669 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005670 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005671 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005672 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005673 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005674 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009731 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006603 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006604 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006605 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006606 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006607 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006608 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- vwar_root=\s*(ftps?|https?|php)\:\/ uricontent:"vwar_root=ftp:/"; |---------------------| Building Rule: 2002899 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- vwar_root=\s*(ftps?|https?|php)\:\/ uricontent:"vwar_root=ftp:/"; |---------------------| Building Rule: 2002902 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- highlighter\s*=\s*(https?|ftps?|php)\:\/ uricontent:"highlighter=http:/"; |---------------------| Building Rule: 2010254 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010255 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008926 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006279 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006280 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006281 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006282 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006283 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006284 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006285 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006286 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006287 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006288 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006289 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006290 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006291 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006292 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006293 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006294 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006295 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006296 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006297 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006298 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006299 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006300 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006301 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006302 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003671 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- select=.+UNION\s+SELECT uricontent:"select=0UNION%20SELECT"; |---------------------| Building Rule: 2002494 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009794 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES content:"script<0/script"; |---------------------| Building Rule: 2009587 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 6c 65 66 74 2e 63 67 69 3f 20 64 6f 6d 3d 20 73 63 72 69 70 74 20 73 63 72 69 70 74 3c 30 2f 73 63 72 69 70 74 --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2009588 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 6c 69 6e 6b 2e 63 67 69 2f 20 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009589 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 76 69 72 74 75 61 6c 2d 73 65 72 76 65 72 2f 6c 69 6e 6b 2e 63 67 69 2f 20 2f 68 74 74 70 5c 3a 2f 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005493 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005494 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005495 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005496 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005497 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005498 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005499 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005500 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005501 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005502 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005503 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005504 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005505 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005506 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005507 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005508 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005509 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005510 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2009877 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2008791 -------- Hex Payload Start ---------- 43 4c 53 49 44 42 44 46 33 45 39 44 32 2d 35 46 37 41 2d 34 46 34 41 2d 41 39 31 34 2d 37 34 39 38 43 38 36 32 45 41 36 41 20 73 61 76 65 50 61 67 65 41 73 42 69 74 6d 61 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010944 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 4d 4f 56 49 45 50 4c 41 59 45 52 2e 4d 6f 76 69 65 50 6c 61 79 65 72 43 74 72 6c 2e 31 20 44 72 61 77 54 65 78 74 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003993 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003994 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003995 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003996 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003997 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2003998 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005889 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005890 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005891 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005892 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005893 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005894 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008875 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007416 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007417 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007418 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007419 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007420 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007421 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007422 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007423 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007424 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007425 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007426 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007427 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007428 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007429 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007430 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007431 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007432 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007433 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007434 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007435 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007436 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007437 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007438 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007439 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007440 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007441 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007442 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007443 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007444 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007445 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007446 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007447 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007448 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007449 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007450 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007451 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004128 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004129 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004130 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004131 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004132 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004133 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004134 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004135 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004136 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004137 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004138 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004139 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004647 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004648 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004649 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004650 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004651 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004652 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005304 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005305 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005306 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005307 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005308 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005309 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005310 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005187 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005188 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005189 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005190 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005191 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004313 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004314 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004315 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004316 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004318 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004317 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009838 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009839 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009840 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009841 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009842 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009843 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009844 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009845 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- config\[installdir\]=\s*(ftps?|https?|php)\:\/ uricontent:"config[installdir]=ftp:/"; |---------------------| Building Rule: 2009846 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005949 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005950 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005951 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005952 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005953 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005954 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003764 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003765 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003766 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003767 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003768 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003769 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- (art=\|.+\|) content:"art=|0|"; Parser failed - skipping rule SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004253 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004254 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004255 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004256 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004257 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004258 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009058 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006455 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006456 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006457 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006458 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006459 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006460 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005955 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005956 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005957 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005958 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005959 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005960 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005961 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005962 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005963 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005964 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005965 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005966 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006975 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006976 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006977 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006978 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006979 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006980 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006981 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006982 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006983 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006984 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006985 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006986 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006987 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006988 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006989 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006990 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006991 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006992 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006993 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006994 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006995 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006996 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006997 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006998 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007070 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007071 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007072 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007073 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007074 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007075 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- plancia=\s*(ftps?|https?|php)\:\/ uricontent:"plancia=ftp:/"; |---------------------| Building Rule: 2008826 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009122 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008939 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009306 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- include_path=\s*(https?|ftps?|php)\:\/ uricontent:"include_path=http:/"; |---------------------| Building Rule: 2009307 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009308 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- include_path=\s*(https?|ftps?|php)\:\/ uricontent:"include_path=http:/"; |---------------------| Building Rule: 2009309 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009310 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- include_path=\s*(https?|ftps?|php)\:\/ uricontent:"include_path=http:/"; |---------------------| Building Rule: 2009311 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009312 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- include_path=\s*(https?|ftps?|php)\:\/ uricontent:"include_path=http:/"; |---------------------| Building Rule: 2009313 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/ws\/(login|get_reminders|get_events)\.php content:"/ws/login.php"; |---------------------| Building Rule: 2003520 -------- Hex Payload Start ---------- 2f 77 73 2f 6c 6f 67 69 6e 2e 70 68 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011723 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 20 63 6c 73 69 64 33 41 46 46 44 37 46 37 2d 46 44 33 44 2d 34 43 39 44 2d 38 46 38 33 2d 30 33 32 39 36 41 31 41 38 38 34 30 20 52 65 64 69 72 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011724 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 54 4f 4f 4c 42 41 52 33 4c 69 62 2e 54 6f 6f 6c 62 61 72 4f 62 6a 20 52 65 64 69 72 65 63 74 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004754 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004755 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004756 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004757 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004758 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004759 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004760 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004761 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004762 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004763 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004764 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004765 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009013 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009014 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009015 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009016 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009017 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[RootPath]=http:/"; |---------------------| Building Rule: 2010092 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[RootPath]=http:/"; |---------------------| Building Rule: 2010093 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[RootPath]=http:/"; |---------------------| Building Rule: 2010094 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004911 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004912 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004913 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004914 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004915 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004916 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004772 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004773 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004774 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004775 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004776 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004778 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004224 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004225 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004226 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004227 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004228 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004229 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004230 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004231 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004232 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004233 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004439 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004234 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004235 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004236 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004237 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004238 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004239 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004240 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010009 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2f 75 6e 61 75 74 68 65 6e 74 69 63 61 74 65 64 2f 2f 2e 2e 25 30 31 2f 2e 2e 25 30 31 2f 2e 2e 25 30 31 2f --------- Hex Payload End ----------- page=\s*(ftps?|https?|php)\:\/ uricontent:"page=ftp:/"; |---------------------| Building Rule: 2009690 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- page=\s*(ftps?|https?|php)\:\/ uricontent:"page=ftp:/"; |---------------------| Building Rule: 2009691 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"Queue=script"; |---------------------| Building Rule: 2010167 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Filename\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"Filename=script"; |---------------------| Building Rule: 2010168 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"IsolatedMessageID=script"; |---------------------| Building Rule: 2010169 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"ServerName=script"; |---------------------| Building Rule: 2010170 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"FileName=script"; |---------------------| Building Rule: 2010171 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"IsolatedMessageID=script"; |---------------------| Building Rule: 2010172 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"ServerName=script"; |---------------------| Building Rule: 2010173 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Dictionary\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"Dictionary=script"; |---------------------| Building Rule: 2010174 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Scoring\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"Scoring=script"; |---------------------| Building Rule: 2010175 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- MessagePart\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"MessagePart=script"; |---------------------| Building Rule: 2010176 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"Queue=script"; |---------------------| Building Rule: 2010177 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"FileName=script"; |---------------------| Building Rule: 2010178 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"IsolatedMessageID=script"; |---------------------| Building Rule: 2010179 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick) uricontent:"ServerName=script"; |---------------------| Building Rule: 2010180 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005227 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005228 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005229 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005230 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005231 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005232 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004140 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004141 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004142 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004143 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004144 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004145 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- config_path=\s*(ftps?|https?|php)\:\/ uricontent:"config_path=ftp:/"; |---------------------| Building Rule: 2008935 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003696 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003916 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2004574 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004247 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004248 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004249 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004250 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004251 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004252 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004997 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004998 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004999 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005000 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005001 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005002 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005280 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005281 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005282 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005283 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005284 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005285 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005286 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005287 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005288 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005289 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005290 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005291 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006921 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006922 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006923 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006924 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006925 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006926 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- redirect_to=(ht|f)tps?\:\/ uricontent:"redirect_to=http:/"; |---------------------| Building Rule: 2003508 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003685 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003686 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003885 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004011 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004012 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004013 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004014 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004015 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004016 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004403 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004404 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004405 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004406 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004407 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004408 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004654 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004655 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004656 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004657 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004658 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004659 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005657 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005658 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005659 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005660 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005661 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005662 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008725 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2009010 -------- Hex Payload Start ---------- 47 45 54 20 20 62 6f 6f 6b 5f 69 64 3d --------- Hex Payload End ----------- ABSPATH\s*=\s*(https?|ftps?|php)\:\/ uricontent:"ABSPATH=http:/"; |---------------------| Building Rule: 2010473 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp) uricontent:"/wp-admin/admin.php0page=/collapsing-archives/options.txt"; |---------------------| Building Rule: 2010728 -------- Hex Payload Start ---------- 70 61 67 65 3d --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"script"; |---------------------| Building Rule: 2011006 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011044 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011045 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011071 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011046 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011047 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"tagcloud=0script"; |---------------------| Building Rule: 2011107 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004343 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004344 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004345 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004346 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004347 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004348 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005117 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005118 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005119 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005120 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005121 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005122 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005123 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005124 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005125 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005126 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005127 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005128 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005129 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005130 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005131 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005132 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005133 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005134 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- web_root=\s*(https?|ftps?|php)\:\/ uricontent:"web_root=http:/"; |---------------------| Building Rule: 2009925 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009926 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- web_root=\s*(https?|ftps?|php)\:\/ uricontent:"web_root=http:/"; |---------------------| Building Rule: 2009927 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009928 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009194 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- (onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src) uricontent:"onmouse"; |---------------------| Building Rule: 2011138 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src) uricontent:"onmouse"; |---------------------| Building Rule: 2011139 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009738 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004857 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004858 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004859 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004860 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004861 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004862 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- include_directory=\s*(https?|ftps?|php)\:\/ uricontent:"include_directory=http:/"; |---------------------| Building Rule: 2009870 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- id=-?\d+.+UNION.+SELECT uricontent:"id=00UNION0SELECT"; |---------------------| Building Rule: 2003516 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- set_menu=\s*(ftps?|https?|php)\:\/ uricontent:"set_menu=ftp:/"; |---------------------| Building Rule: 2003517 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005378 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005379 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005380 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005381 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005382 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005383 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005384 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005385 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005386 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005387 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005388 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005389 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006486 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006487 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006488 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006489 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006490 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006491 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008688 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010121 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\?|&)id=[^\x26\x3B]*[^\d\x2D] uricontent:"?id=#"; |---------------------| Building Rule: 2010607 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006213 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006214 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006215 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006216 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006217 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006218 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005609 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005610 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005611 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005612 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005613 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005614 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- context\[path_to_root\]=\s*(https?|ftps?|php)\:\/ uricontent:"context[path_to_root]=http:/"; |---------------------| Building Rule: 2009190 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009191 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- YAPIG_PATH=\s*(ftps?|https?|php)\:\/ uricontent:"YAPIG_PATH=ftp:/"; |---------------------| Building Rule: 2011098 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003739 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5622772D-6C27-11D3-95E5-006008D14F3B content:"<OBJECT classid=clsid:5622772D-6C27-11D3-95E5-006008D14F3B"; |---------------------| Building Rule: 2010945 -------- Hex Payload Start ---------- 63 6c 73 69 64 35 36 32 32 37 37 32 44 2d 36 43 32 37 2d 31 31 44 33 2d 39 35 45 35 2d 30 30 36 30 30 38 44 31 34 46 33 42 20 4f 70 65 6e 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 35 36 32 32 37 37 32 44 2d 36 43 32 37 2d 31 31 44 33 2d 39 35 45 35 2d 30 30 36 30 30 38 44 31 34 46 33 42 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010946 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 59 6f 50 6c 61 79 65 72 2e 59 6f 50 6c 79 43 64 2e 31 20 6f 70 65 6e --------- Hex Payload End ----------- cfgIncludeDirectory=\s*(https?|ftps?|php)\:\/ uricontent:"cfgIncludeDirectory=http:/"; |---------------------| Building Rule: 2009316 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008817 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008818 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008819 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009393 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009329 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2001238 -------- Hex Payload Start ---------- 2f 2e 2e 2f 64 61 74 61 2f 6c 6f 67 2e 74 78 74 20 2f 2e 2e 2f 57 49 4e 4e 54 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008686 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009693 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 61 64 6d 69 6e 2f 72 65 63 6f 72 64 5f 63 6f 6d 70 61 6e 79 2e 70 68 70 2f 70 61 73 73 77 6f 72 64 5f 66 6f 72 67 6f 74 74 65 6e 2e 70 68 70 20 61 63 74 69 6f 6e 3d 69 6e 73 65 72 74 --------- Hex Payload End ----------- INTO.+OUTFILE uricontent:"INTO0OUTFILE"; |---------------------| Building Rule: 2010669 -------- Hex Payload Start ---------- 49 4e 54 4f 20 4f 55 54 46 49 4c 45 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010670 -------- Hex Payload Start ---------- 53 45 4c 45 43 54 20 46 52 4f 4d --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010672 -------- Hex Payload Start ---------- 49 4e 53 45 52 54 20 49 4e 54 4f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010673 -------- Hex Payload Start ---------- 55 4e 49 4f 4e 20 53 45 4c 45 43 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010761 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010763 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004803 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004804 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004805 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004806 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004807 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004808 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005192 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005193 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005194 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005195 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005196 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005197 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005198 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005199 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005200 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005201 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005202 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005203 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005204 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005205 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005206 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005207 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005208 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005209 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005210 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005211 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005212 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005213 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005214 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005215 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003981 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003982 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003983 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003984 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003985 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003986 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005979 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005980 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005981 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005982 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005983 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005984 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009661 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"row_y5_site_configuration[templates_folder]=http:/"; |---------------------| Building Rule: 2010771 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"row_y5_site_configuration[templates_folder]=http:/"; |---------------------| Building Rule: 2010772 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"row_y5_site_configuration[templates_folder]=http:/"; |---------------------| Building Rule: 2010773 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"row_y5_site_configuration[templates_folder]=http:/"; |---------------------| Building Rule: 2010774 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"row_y5_site_configuration[templates_folder]=http:/"; |---------------------| Building Rule: 2010775 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"row_y5_site_configuration[templates_folder]=http:/"; |---------------------| Building Rule: 2010776 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"row_y5_site_configuration[templates_folder]=http:/"; |---------------------| Building Rule: 2010777 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2004557 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005324 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005325 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005326 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005327 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005328 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005329 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008929 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009790 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005766 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005767 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005768 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005769 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005770 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005771 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"script"; |---------------------| Building Rule: 2011115 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- cct_base=\s*(ftps?|https?|php)\:\/ uricontent:"cct_base=ftp:/"; |---------------------| Building Rule: 2008966 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- cct_base=\s*(ftps?|https?|php)\:\/ uricontent:"cct_base=ftp:/"; |---------------------| Building Rule: 2008967 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- cct_base=\s*(ftps?|https?|php)\:\/ uricontent:"cct_base=ftp:/"; |---------------------| Building Rule: 2008968 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- cct_base=\s*(ftps?|https?|php)\:\/ uricontent:"cct_base=ftp:/"; |---------------------| Building Rule: 2008969 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- cct_base=\s*(ftps?|https?|php)\:\/ uricontent:"cct_base=ftp:/"; |---------------------| Building Rule: 2008970 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009045 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006171 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006172 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006173 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006174 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006175 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006176 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006177 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006178 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006179 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006180 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006181 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006182 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- mod_root=\s*(https?|ftps?|php) uricontent:"mod_root=http"; |---------------------| Building Rule: 2009367 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- controller\s*=\s*(https?|ftps?|php)\:\/ uricontent:"controller=http:/"; |---------------------| Building Rule: 2010847 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2004053 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2004054 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2004055 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2004056 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2004057 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2004058 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2004101 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2004102 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2004103 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2004104 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2004105 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2004106 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- GLOBALS\[prefix\]=\s*(ftps?|https?|php)\:/ uricontent:"GLOBALS[prefix]=ftp:/"; |---------------------| Building Rule: 2009874 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009875 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005033 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005034 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005035 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005036 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005037 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005038 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006951 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006952 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006953 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006954 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006955 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006956 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006957 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006958 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2006959 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006960 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006961 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006962 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006963 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006964 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006965 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006966 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006967 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006968 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006615 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006616 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006617 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006618 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006619 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006620 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2006621 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2006622 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2006623 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2006624 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2006625 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2006626 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Cookie: .*admin-access= content:"Cookie: admin-access="; |---------------------| Building Rule: 2010719 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 0d 0a 43 6f 6f 6b 69 65 5c 3a 20 20 61 64 6d 69 6e 2d 61 63 63 65 73 73 3d 20 65 31 30 37 6c 61 6e 67 75 61 67 65 5f 20 43 6f 6f 6b 69 65 3a 20 61 64 6d 69 6e 2d 61 63 63 65 73 73 3d --------- Hex Payload End ----------- a_name=' uricontent:"a_name='"; |---------------------| Building Rule: 2002663 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008788 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008813 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- e107path=\s*(ftps?|https?|php)\:\/ uricontent:"e107path=ftp:/"; |---------------------| Building Rule: 2009435 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009436 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2009227 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A) uricontent:".php?=http:"; |---------------------| Building Rule: 2009932 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- LICMGR_ADDLICENSE&[^\x00\n\r@&]{450} content:"LICMGR_ADDLICENSE&##################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 10616 (msg:"ET WEB_SPECIFIC_APPS EiQNetworks Security Analyzer Buffer Overflow"; flow:established,to_server; content:"LICMGR_ADDLICENSE&"; nocase; depth:18; isdataat:450,relative; content:"LICMGR_ADDLICENSE&##################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; reference:cve,2006-3838; reference:url,secunia.com/advisories/21211/; reference:url,doc.emergingthreats.net/2003056; classtype:attempted-admin; sid:2003056; rev:5;) Parser failed - skipping rule SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005925 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005926 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005927 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005928 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005929 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005930 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005931 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005932 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005933 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005934 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005935 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005936 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009224 -------- Hex Payload Start ---------- 2e 2e 2f --------- Hex Payload End ----------- inc_ordner=\s*(https?|ftps?|php)\:\/ uricontent:"inc_ordner=http:/"; |---------------------| Building Rule: 2009225 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008849 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008850 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008851 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008852 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008853 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008854 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008855 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008856 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008857 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008858 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- _REQUEST\[read\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"_REQUEST[read]=http:/"; |---------------------| Building Rule: 2010661 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007374 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007375 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007376 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007377 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007378 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007379 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007380 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007381 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007382 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007383 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007384 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007385 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2007386 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2007387 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2007388 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2007389 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2007390 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2007391 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003875 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2004108 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004109 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2004110 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2004111 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004112 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2004113 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- dirDepth=\s*(https?|ftps?|php)\:\/ uricontent:"dirDepth=http:/"; |---------------------| Building Rule: 2009188 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003718 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003719 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003720 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003721 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003722 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003723 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003724 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003725 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003747 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005807 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005808 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005804 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005806 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005809 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005810 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005811 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005812 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005813 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005814 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005815 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005816 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005817 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005818 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005819 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005820 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005821 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005822 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005823 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005824 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005825 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005826 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005827 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005828 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (\?|&)GID=[^\x26\x3B]*[^\d\x2D] uricontent:"?GID=#"; |---------------------| Building Rule: 2010608 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2006609 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2006610 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2006611 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2006612 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2006613 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2006614 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008997 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- net2ftp_globals\[application_skinsdir\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"net2ftp_globals[application_skinsdir]=http:/"; |---------------------| Building Rule: 2010979 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- fs_jVroot\s*=\s*(https?|ftps?|php)\:\/ uricontent:"fs_jVroot=http:/"; |---------------------| Building Rule: 2010191 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- fs_jVroot\s*=\s*(https?|ftps?|php)\:\/ uricontent:"fs_jVroot=http:/"; |---------------------| Building Rule: 2010192 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- fs_jVroot\s*=\s*(https?|ftps?|php)\:\/ uricontent:"fs_jVroot=http:/"; |---------------------| Building Rule: 2010193 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004840 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004841 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004842 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004843 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004844 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004845 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009671 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- base_path=\s*(ftps?|https?|php)\:\/ uricontent:"base_path=ftp:/"; |---------------------| Building Rule: 2009053 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003684 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE\s+SELECT uricontent:"UPDATE%20SELECT"; |---------------------| Building Rule: 2004469 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004470 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004471 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004472 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004473 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004474 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004475 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004476 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004477 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004478 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004479 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2004492 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2008668 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009501 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2004005 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2004006 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2004007 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2004008 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2004009 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2004010 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009719 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2009720 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003698 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003699 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003700 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003701 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- icerikyolu=\s*(https?|ftps?|php)\:\/ uricontent:"icerikyolu=http:/"; |---------------------| Building Rule: 2009325 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- sayfaid=\s*(https?|ftps?|php)\:\/ uricontent:"sayfaid=http:/"; |---------------------| Building Rule: 2009326 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- uzanti=\s*(https?|ftps?|php)\:\/ uricontent:"uzanti=http:/"; |---------------------| Building Rule: 2009327 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2010615 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2010616 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2010617 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2010618 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2010619 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004899 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004900 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004901 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004902 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004903 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004904 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009709 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 0d 0a 0d 0a 74 6f 6b 65 6e 3d 20 68 6f 73 74 20 70 68 70 69 6e 66 6f 25 32 38 25 32 39 25 33 62 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)"; flow:established,to_server; content:"POST"; http_method; uricontent:"/scripts/setup.php"; nocase; content:"token="; http_client_body; depth:6; content:"host"; http_client_body; content:"system|28 24 5F|"; nocase; http_client_body; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009710; classtype:web-application-attack; sid:2009710; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2010902 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2010903 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (agendaplace(2?)|infoevent|agenda(2?))\.php3\? uricontent:"agendaplace.php3?"; |---------------------| Building Rule: 2002879 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .*<?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2004552 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- content=\s*(https?|ftps?|php)\:\/ uricontent:"content=http:/"; |---------------------| Building Rule: 2009397 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (\.\.\/){1,} NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2008992 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- GLOBALS\[BASE\]\s*=\s*(https?|ftps?|php)\:\/ uricontent:"GLOBALS[BASE]=http:/"; |---------------------| Building Rule: 2010485 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004170 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004171 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004172 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004173 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004174 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004175 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004176 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004177 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004178 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004179 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004180 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004181 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004182 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004183 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004184 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004185 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004186 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004187 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004188 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004189 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004190 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004191 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004192 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004193 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004194 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004195 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004196 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004197 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004198 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004199 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004200 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004201 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004202 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004203 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004204 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004205 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004206 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004207 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004208 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004209 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004210 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004211 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004212 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004213 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004214 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004215 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004216 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004217 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004218 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004219 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004220 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004221 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004222 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004223 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009085 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- apps_path\[themes\]=\s*(ftps?|https?|php)\:\/ uricontent:"apps_path[themes]=ftp:/"; |---------------------| Building Rule: 2009086 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009087 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- apps_path\[libs\]=\s*(ftps?|https?|php)\:\/ uricontent:"apps_path[libs]=ftp:/"; |---------------------| Building Rule: 2009088 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2009089 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- .+SELECT.+FROM uricontent:"0SELECT0FROM"; |---------------------| Building Rule: 2003782 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UNION\s+SELECT uricontent:"0UNION%20SELECT"; |---------------------| Building Rule: 2003783 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+INSERT.+INTO uricontent:"0INSERT0INTO"; |---------------------| Building Rule: 2003784 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+DELETE.+FROM uricontent:"0DELETE0FROM"; |---------------------| Building Rule: 2003785 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+ASCII\(.+SELECT uricontent:"0ASCII(0SELECT"; |---------------------| Building Rule: 2003786 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- .+UPDATE.+SET uricontent:"0UPDATE0SET"; |---------------------| Building Rule: 2003787 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009887 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009320 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- _path\[counter\]=\s*(ftps?|https?|php)\:\/ uricontent:"_path[counter]=ftp:/"; |---------------------| Building Rule: 2009321 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2003167 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2009331 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- CFG\[txtsql\]\[class\]=\s*(ftps?|https?|php)\:\/ uricontent:"CFG[txtsql][class]=ftp:/"; |---------------------| Building Rule: 2009416 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005663 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005664 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005665 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005666 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005667 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005668 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005348 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005349 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005350 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005351 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005352 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005353 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [\?&]name=[^&\;\?]+\x27 uricontent:"?name=#'"; |---------------------| Building Rule: 2010701 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <?(java|vb)?script>?.*<.+\/script>? NOT IMPL not _simple(av) in REPEATING CODES uricontent:"script<0/script"; |---------------------| Building Rule: 2003874 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005354 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005355 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005356 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005357 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005358 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005359 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004748 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004749 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004750 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004751 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004752 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004753 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2004881 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2004882 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2004883 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2004884 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2004885 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2004886 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005239 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005240 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005241 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005242 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005243 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005244 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005245 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005246 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005247 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005248 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005249 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005250 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005251 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005312 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005252 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005253 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005254 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005255 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- =\s*(https?|ftps?|php)\:\/ uricontent:"=http:/"; |---------------------| Building Rule: 2003670 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2005158 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION\s+SELECT uricontent:"UNION%20SELECT"; |---------------------| Building Rule: 2005159 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2005160 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2005161 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2005162 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2005163 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2008928 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011464 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011466 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011467 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65) Parser failed - skipping rule |---------------------| Building Rule: 2100465 Protocol Not Supported |---------------------| Building Rule: 2100366 Protocol Not Supported |---------------------| Building Rule: 2100368 Protocol Not Supported |---------------------| Building Rule: 2100369 Protocol Not Supported |---------------------| Building Rule: 2100370 Protocol Not Supported |---------------------| Building Rule: 2100371 Protocol Not Supported |---------------------| Building Rule: 2100483 Protocol Not Supported |---------------------| Building Rule: 2100372 Protocol Not Supported |---------------------| Building Rule: 2100373 Protocol Not Supported |---------------------| Building Rule: 2100374 Protocol Not Supported |---------------------| Building Rule: 2100376 Protocol Not Supported |---------------------| Building Rule: 2100377 Protocol Not Supported |---------------------| Building Rule: 2100378 Protocol Not Supported |---------------------| Building Rule: 2100379 Protocol Not Supported |---------------------| Building Rule: 2100380 Protocol Not Supported |---------------------| Building Rule: 2100484 Protocol Not Supported |---------------------| Building Rule: 2100482 Protocol Not Supported |---------------------| Building Rule: 2100480 Protocol Not Supported |---------------------| Building Rule: 2100474 Protocol Not Supported |---------------------| Building Rule: 2100476 Protocol Not Supported |---------------------| Building Rule: 2101918 Protocol Not Supported |---------------------| Building Rule: 2100640 Parser failed - skipping rule |---------------------| Building Rule: 2100641 Parser failed - skipping rule |---------------------| Building Rule: 2100642 Parser failed - skipping rule |---------------------| Building Rule: 2100643 Parser failed - skipping rule |---------------------| Building Rule: 2100652 Parser failed - skipping rule |---------------------| Building Rule: 2100639 Parser failed - skipping rule |---------------------| Building Rule: 2100644 Parser failed - skipping rule |---------------------| Building Rule: 2100645 Parser failed - skipping rule |---------------------| Building Rule: 2100646 Parser failed - skipping rule |---------------------| Building Rule: 2100647 Parser failed - skipping rule |---------------------| Building Rule: 2102313 Parser failed - skipping rule |---------------------| Building Rule: 2102312 Parser failed - skipping rule |---------------------| Building Rule: 2102314 Parser failed - skipping rule |---------------------| Building Rule: 2101424 Parser failed - skipping rule |---------------------| Building Rule: 2101390 Parser failed - skipping rule |---------------------| Building Rule: 2100651 Parser failed - skipping rule type both, track by_dst, count 100, seconds 60 |---------------------| Building Rule: 2100162 -------- Hex Payload Start ---------- 53 49 50 2f 32 2e 30 20 34 30 31 20 55 6e 61 75 74 68 6f 72 69 7a 65 64 --------- Hex Payload End ----------- type both, track by_src, count 100, seconds 60 |---------------------| Building Rule: 2100163 -------- Hex Payload Start ---------- 53 49 50 2f 32 2e 30 20 34 30 37 20 50 72 6f 78 79 20 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 52 65 71 75 69 72 65 64 --------- Hex Payload End ----------- type both, track by_src, count 100, seconds 60 |---------------------| Building Rule: 2100158 -------- Hex Payload Start ---------- 49 4e 56 49 54 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100498 -------- Hex Payload Start ---------- 75 69 64 3d 30 28 72 6f 6f 74 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101633 Error here depth! -------- Hex Payload Start ---------- 2a 02 20 20 20 20 00 04 00 07 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101320 -------- Hex Payload Start ---------- 66 75 63 6b 20 6d 6f 76 69 65 73 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103134; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2102580 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2101988 -------- Hex Payload Start ---------- 4d 53 47 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 6e 6d 73 67 72 70 32 70 4d 53 4e 53 4c 50 2f 31 2e 30 20 32 30 30 20 4f 4b --------- Hex Payload End ----------- |---------------------| Building Rule: 2101989 -------- Hex Payload Start ---------- 4d 53 47 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 6e 6d 73 67 72 70 32 70 4d 53 4e 53 4c 50 2f 31 2e 30 20 36 30 33 20 44 65 63 6c 69 6e 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102453 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 18 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102454 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 19 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102458 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 98 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102451 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 4a --------- Hex Payload End ----------- |---------------------| Building Rule: 2102456 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 4d --------- Hex Payload End ----------- |---------------------| Building Rule: 2102461 -------- Hex Payload Start ---------- 0d 00 05 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100236 -------- Hex Payload Start ---------- 3c 6d 65 73 73 61 67 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100235 -------- Hex Payload Start ---------- 3c 73 75 63 63 65 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019526 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2102056 -------- Hex Payload Start ---------- 54 52 41 43 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102061 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2102073 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2102156 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101979 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- forum=.*' content:"forum='"; |---------------------| Building Rule: 2102654 -------- Hex Payload Start ---------- 6e 61 6d 65 3d 46 6f 72 75 6d 73 20 66 69 6c 65 3d 76 69 65 77 74 6f 70 69 63 20 66 6f 72 75 6d 3d 27 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:7;) Parser failed - skipping rule ^APOP\s+USER\s[^\n]{256} content:"APOP USER ################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; content:"APOP USER ################################################################################################################################################################################################################################################################"; reference:bugtraq,9794; classtype:attempted-admin; sid:2102409; rev:2;) Parser failed - skipping rule ^APOP\s[^\n]{256} content:"APOP ################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; content:"APOP ################################################################################################################################################################################################################################################################"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:2101635; rev:14;) Parser failed - skipping rule ^AUTH\s[^\n]{50} content:"AUTH ##################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; content:"AUTH ##################################################"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2101936; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2100288 -------- Hex Payload Start ---------- d8 40 cd 80 e8 d9 ff ff ff 2f 62 69 6e 2f 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100289 -------- Hex Payload Start ---------- 56 0e 31 c0 b0 3b 8d 7e 12 89 f9 89 f9 --------- Hex Payload End ----------- ^LIST\s[^\n]{10} content:"LIST ##########"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; content:"LIST ##########"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:2101937; rev:8;) Parser failed - skipping rule ^PASS\s[^\n]{50} content:"PASS ##################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; content:"PASS ##################################################"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:2101634; rev:15;) Parser failed - skipping rule ^STAT\s[^\n]{10} content:"STAT ##########"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; content:"STAT ##########"; classtype:attempted-admin; sid:2102110; rev:4;) Parser failed - skipping rule ^XTND\s[^\n]{50} content:"XTND ##################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; content:"XTND ##################################################"; classtype:attempted-admin; sid:2101938; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101960; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101962; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2101949 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 01 20 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102014 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 02 20 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2101262; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2101263; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2101264; rev:14;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2101265; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2100598 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 04 20 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102036; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2101267; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13;) Parser failed - skipping rule |---------------------| Building Rule: 2101922 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 05 20 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102093; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2101269; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102082; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2101270; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2101271; rev:15;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101733; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2101272; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2101273; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2102016; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2101275; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2101276; rev:15;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2100616 -------- Hex Payload Start ---------- 56 45 52 53 49 4f 4e 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1;depth:1; content:"|01 00|";distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103159; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103275; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103276; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103238; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103239; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2102524 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 00 20 20 20 ff 53 4d 42 20 05 20 0b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:16;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102190; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103236; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103237; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103156; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103157; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2100529 -------- Hex Payload Start ---------- 5c 00 5c 00 2a 00 53 00 4d 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100530 -------- Hex Payload Start ---------- 00 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 20 00 31 00 33 00 38 00 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101239 -------- Hex Payload Start ---------- 42 45 41 56 49 53 20 79 65 70 20 79 65 70 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100532; rev:14;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102473; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2100533; rev:17;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102470; rev:12;) Parser failed - skipping rule |---------------------| Building Rule: 2100534 -------- Hex Payload Start ---------- 5c 2e 2e 2f 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100535 -------- Hex Payload Start ---------- 5c 2e 2e 2e 00 00 00 --------- Hex Payload End ----------- ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103429; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103180; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103425; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103430; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103181; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103426; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103177; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103176; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103431; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103182; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103427; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103432; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103428; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103179; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103178; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100536; rev:13;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102467; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2102511 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 05 20 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 09 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102510; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2102525 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 00 20 20 20 ff 53 4d 42 20 05 20 0b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102309; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102308; rev:7;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103381; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103377; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103382; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103378; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103383; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103379; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103384; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103380; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100537; rev:17;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100538; rev:17;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103397; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103393; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103398; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103394; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103399; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103395; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103400; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103396; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102942; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102943; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102945; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103260; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103256; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103261; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103257; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103262; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103258; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103263; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103259; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102946; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102936; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102947; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102937; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103034; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103026; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103035; rev:9;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103027; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103019; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103042; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103050; rev:5;) Parser failed - skipping rule ^.{27} content:"000000000000000000000000000"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"000000000000000000000000000"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103018; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103036; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103028; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103029; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103044; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103052; rev:5;) Parser failed - skipping rule ^.{27} content:"000000000000000000000000000"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"000000000000000000000000000"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2102384 Error here depth! Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 73 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 60 20 00 00 00 62 06 83 00 00 06 2b 06 01 05 05 02 06 0a 2b 06 01 04 01 82 37 02 02 0a a3 3e 30 3c a0 30 --------- Hex Payload End ----------- ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103222; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103223; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103219; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103218; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103224; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103225; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103221; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103220; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103413; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103409; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103414; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103410; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103415; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103411; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103416; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103412; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103001; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103002; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103244; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103240; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103245; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103241; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103246; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103242; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103247; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103243; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103118; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103119; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103115; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103114; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103120; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103121; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103117; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103116; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103102; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103098; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103090; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103103; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103099; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103104; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103100; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103105; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103101; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103164; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103160; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103165; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103161; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103166; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103162; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103167; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103163; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102928; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102929; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2102176 Error here depth! -------- Hex Payload Start ---------- 00 20 20 20 ff 53 4d 42 32 44 6f 63 75 6d 65 6e 74 73 20 61 6e 64 20 53 65 74 74 69 6e 67 73 5c 41 6c 6c 20 55 73 65 72 73 5c 53 74 61 72 74 20 4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102177 Error here depth! -------- Hex Payload Start ---------- 00 20 20 20 ff 53 4d 42 32 5c 00 53 00 74 00 61 00 72 00 74 00 20 00 4d 00 65 00 6e 00 75 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 73 00 5c 00 53 00 74 00 61 00 72 00 74 00 75 00 70 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103206; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103202; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102940; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102174; rev:9;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103207; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103203; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103208; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103204; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102941; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102175; rev:10;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103209; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103205; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2100293 -------- Hex Payload Start ---------- e8 c0 ff ff ff 2f 62 69 6e 2f 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101780 -------- Hex Payload Start ---------- 20 78 20 50 41 52 54 49 41 4c 20 31 20 42 4f 44 59 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- \sAPPEND\s[^\n]{256} content:" APPEND ################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; content:" APPEND ################################################################################################################################################################################################################################################################"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3;) Parser failed - skipping rule AUTH\s[^\n]{100} content:"AUTH ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; isdataat:100,relative; content:"AUTH ####################################################################################################"; reference:bugtraq,8861; classtype:misc-attack; sid:2102330; rev:3;) Parser failed - skipping rule \sAUTHENTICATE\s[^\n]{100} content:" AUTHENTICATE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; content:" AUTHENTICATE ####################################################################################################"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2101844; rev:12;) Parser failed - skipping rule \sCOPY\s[^\n]*?\{ content:" COPY {"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; content:" COPY {"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:2;) Parser failed - skipping rule \sDELETE\s[^\n]{100} content:" DELETE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; content:" DELETE ####################################################################################################"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2;) Parser failed - skipping rule \sEXAMINE\s[^\n]{100} content:" EXAMINE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; content:" EXAMINE ####################################################################################################"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2;) Parser failed - skipping rule \sFETCH\s[^\n]{500} content:" FETCH ####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:500,relative; content:" FETCH ####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; reference:bugtraq,11775; classtype:misc-attack; sid:2103070; rev:3;) Parser failed - skipping rule \sFIND\s[^\n]{100} content:" FIND ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; content:" FIND ####################################################################################################"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8;) Parser failed - skipping rule \sLOGIN\s[^\n]{100} content:" LOGIN ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; content:" LOGIN ####################################################################################################"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16;) Parser failed - skipping rule \sRENAME\s[^\n]{100} content:" RENAME ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; content:" RENAME ####################################################################################################"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9;) Parser failed - skipping rule \sSTATUS\s[^\n]{100} content:" STATUS ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; content:" STATUS ####################################################################################################"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3;) Parser failed - skipping rule \sSUBSCRIBE\s[^\n]*?\s\{ content:" SUBSCRIBE {"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; content:" SUBSCRIBE {"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:2;) Parser failed - skipping rule \sSUBSCRIBE\s[^\n]{100} content:" SUBSCRIBE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; content:" SUBSCRIBE ####################################################################################################"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2;) Parser failed - skipping rule \sUNSUBSCRIBE\s[^\n]*?\s\{ content:" UNSUBSCRIBE {"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; content:" UNSUBSCRIBE {"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:2;) Parser failed - skipping rule \sUNSUBSCRIBE\s[^\n]{100} content:" UNSUBSCRIBE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; content:" UNSUBSCRIBE ####################################################################################################"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2101414 -------- Hex Payload Start ---------- 70 72 69 76 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101412 -------- Hex Payload Start ---------- 70 75 62 6c 69 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100334 -------- Hex Payload Start ---------- 2e 66 6f 72 77 61 72 64 --------- Hex Payload End ----------- ^ALLO\s[^\n]{100} content:"ALLO ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; content:"ALLO ####################################################################################################"; reference:bugtraq,9953; classtype:attempted-admin; sid:2102449; rev:3;) Parser failed - skipping rule ^APPE\s[^\n]{100} content:"APPE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; content:"APPE ####################################################################################################"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2102391; rev:11;) Parser failed - skipping rule ^CMD\s[^\n]{100} content:"CMD ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; content:"CMD ####################################################################################################"; classtype:attempted-admin; sid:2101621; rev:12;) Parser failed - skipping rule ^CWD\s[^\n]*?\.\.\. content:"CWD ..."; |---------------------| Building Rule: 2101229 -------- Hex Payload Start ---------- 43 57 44 2e 2e 2e 20 43 57 44 20 2e 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2101779 -------- Hex Payload Start ---------- 43 57 44 20 20 20 2e 2e 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2102125 -------- Hex Payload Start ---------- 43 57 44 20 43 3a 5c --------- Hex Payload End ----------- ^CWD\s[^\n]{100} content:"CWD ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; content:"CWD ####################################################################################################"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:2101919; rev:24;) Parser failed - skipping rule ^CWD\s+~ content:"CWD ~"; |---------------------| Building Rule: 2101672 -------- Hex Payload Start ---------- 43 57 44 20 43 57 44 20 7e --------- Hex Payload End ----------- |---------------------| Building Rule: 2101728 -------- Hex Payload Start ---------- 43 57 44 20 20 20 7e 0d 0a --------- Hex Payload End ----------- ^CWD\s+~root content:"CWD ~root"; |---------------------| Building Rule: 2100336 -------- Hex Payload Start ---------- 43 57 44 20 7e 72 6f 6f 74 20 43 57 44 20 7e 72 6f 6f 74 --------- Hex Payload End ----------- ^DELE\s[^\n]{100} content:"DELE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; content:"DELE ####################################################################################################"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101975; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD overflow"; flow:to_server,established; content:"MKD "; isdataat:100,relative; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:2100349; rev:13;) Parser failed - skipping rule |---------------------| Building Rule: 2101992 -------- Hex Payload Start ---------- 4c 49 53 54 20 2e 2e 20 2e 2e --------- Hex Payload End ----------- ^MDTM\s[^\n]{100} content:"MDTM ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; content:"MDTM ####################################################################################################"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:7;) Parser failed - skipping rule ^MKD\s[^\n]{100} content:"MKD ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; content:"MKD ####################################################################################################"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:2101973; rev:11;) Parser failed - skipping rule ^NLST\s[^\n]{100} content:"NLST ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; content:"NLST ####################################################################################################"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7;) Parser failed - skipping rule ^PASS\s[^\n]{100} content:"PASS ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; content:"PASS ####################################################################################################"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:2101972; rev:18;) Parser failed - skipping rule ^PORT content:"PORT"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; content:"PORT"; classtype:misc-attack; sid:2103441; rev:2;) Parser failed - skipping rule ^REST\s[^\n]{100} content:"REST ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; content:"REST ####################################################################################################"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:2101974; rev:7;) Parser failed - skipping rule ^RETR\s[^\n]{100} content:"RETR ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; content:"RETR ####################################################################################################"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8;) Parser failed - skipping rule ^RMD\s[^\n]{100} content:"RMD ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; content:"RMD ####################################################################################################"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101976; rev:10;) Parser failed - skipping rule ^RMDIR\s[^\n]{100} content:"RMDIR ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; content:"RMDIR ####################################################################################################"; reference:bugtraq,819; classtype:attempted-admin; sid:2101942; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2101622 -------- Hex Payload Start ---------- 52 4e 46 52 20 20 20 2e 2f 2e 2f --------- Hex Payload End ----------- ^RNFR\s[^\n]{100} content:"RNFR ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; content:"RNFR ####################################################################################################"; classtype:attempted-admin; sid:2103077; rev:2;) Parser failed - skipping rule ^RNTO\s[^\n]{100} content:"RNTO ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; content:"RNTO ####################################################################################################"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8;) Parser failed - skipping rule ^SITE\s+CHOWN\s[^\n]{100} content:"SITE CHOWN ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; content:"SITE CHOWN ####################################################################################################"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:2101562; rev:13;) Parser failed - skipping rule ^SITE\s+CPWD\s[^\n]{100} content:"SITE CPWD ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; content:"SITE CPWD ####################################################################################################"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:2101888; rev:9;) Parser failed - skipping rule ^SITE\s+EXEC content:"SITE EXEC"; |---------------------| Building Rule: 2100361 -------- Hex Payload Start ---------- 53 49 54 45 45 58 45 43 20 53 49 54 45 20 45 58 45 43 --------- Hex Payload End ----------- ^SITE\s+NEWER content:"SITE NEWER"; |---------------------| Building Rule: 2101864 -------- Hex Payload Start ---------- 53 49 54 45 20 4e 45 57 45 52 20 53 49 54 45 20 4e 45 57 45 52 --------- Hex Payload End ----------- ^SITE\s+NEWER\s[^\n]{100} content:"SITE NEWER ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; content:"SITE NEWER ####################################################################################################"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:2101920; rev:8;) Parser failed - skipping rule ^SITE\s+ZIPCHK\s[^\n]{100} content:"SITE ZIPCHK ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; content:"SITE ZIPCHK ####################################################################################################"; reference:cve,2000-0040; classtype:attempted-admin; sid:2101921; rev:7;) Parser failed - skipping rule ^SITE\s[^\n]{100} content:"SITE ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; content:"SITE ####################################################################################################"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:2101529; rev:12;) Parser failed - skipping rule ^STAT\s[^\n]{100} content:"STAT ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; content:"STAT ####################################################################################################"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13;) Parser failed - skipping rule ^STOU\s[^\n]{100} content:"STOU ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; content:"STOU ####################################################################################################"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5;) Parser failed - skipping rule ^USER\s[^\n]{100} content:"USER ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; content:"USER ####################################################################################################"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:2101734; rev:32;) Parser failed - skipping rule ^XMKD\s[^\n]{100} content:"XMKD ####################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; content:"XMKD ####################################################################################################"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2100353 -------- Hex Payload Start ---------- 50 41 53 53 20 64 64 64 40 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2101927 -------- Hex Payload Start ---------- 61 75 74 68 6f 72 69 7a 65 64 5f 6b 65 79 73 --------- Hex Payload End ----------- ^MDTM \d+[-+]\D content:"MDTM 0-A"; |---------------------| Building Rule: 2102416 -------- Hex Payload Start ---------- 4d 44 54 4d 20 4d 44 54 4d 20 30 2d 41 --------- Hex Payload End ----------- ^MODE\s+[^ABSC]{1} content:"MODE #"; |---------------------| Building Rule: 2101623 -------- Hex Payload Start ---------- 4d 4f 44 45 20 4d 4f 44 45 20 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100354 -------- Hex Payload Start ---------- 70 61 73 73 20 2d 69 73 73 40 69 73 73 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP large PWD command"; flow:to_server,established; content:"PWD"; isdataat:7,relative; content:!"|0A|"; within:7; nocase; classtype:protocol-command-decode; sid:2101624; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2100355 -------- Hex Payload Start ---------- 70 61 73 73 20 77 68 30 30 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100356 -------- Hex Payload Start ---------- 52 45 54 52 20 70 61 73 73 77 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100357 -------- Hex Payload Start ---------- 70 61 73 73 20 2d 63 6b 6c 61 75 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100358 -------- Hex Payload Start ---------- 70 61 73 73 20 2d 73 61 69 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100359 -------- Hex Payload Start ---------- 70 61 73 73 20 2d 73 61 74 61 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2101928 -------- Hex Payload Start ---------- 52 45 54 52 20 73 68 61 64 6f 77 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100362 -------- Hex Payload Start ---------- 20 2d 2d 75 73 65 2d 63 6f 6d 70 72 65 73 73 2d 70 72 6f 67 72 61 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101327 -------- Hex Payload Start ---------- 00 01 57 00 00 00 18 20 ff ff ff ff 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101638 -------- Hex Payload Start ---------- 56 65 72 73 69 6f 6e 5f 4d 61 70 70 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100617 -------- Hex Payload Start ---------- 00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101199 -------- Hex Payload Start ---------- 2e 2e 2f 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- ^Argument\s+\/ content:"Argument /"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; content:"Argument /"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2100571 -------- Hex Payload Start ---------- 00 01 86 f3 00 00 00 01 00 00 00 0f 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2101751 -------- Hex Payload Start ---------- 00 01 87 86 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2101261 -------- Hex Payload Start ---------- 7f ff fb 78 7f ff fb 78 7f ff fb 78 7f ff fb 78 20 40 8a ff c8 40 82 ff d8 3b 36 fe 03 3b 76 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101323 -------- Hex Payload Start ---------- 2d 73 6f 61 20 25 70 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102191; rev:4;) Parser failed - skipping rule ^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"-"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"-"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102474; rev:9;) Parser failed - skipping rule ^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"-"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"-"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102475; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102471; rev:12;) Parser failed - skipping rule ^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"-"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"-"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102472; rev:11;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103437; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103188; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103433; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103438; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103189; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103434; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103185; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103184; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103439; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103190; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103435; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103440; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103191; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103436; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103187; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103186; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102468; rev:9;) Parser failed - skipping rule ^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"-"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"-"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102469; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102512; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2102526 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 00 20 20 20 ff 53 4d 42 20 05 20 0b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102513; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2102385 Error here depth! Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 73 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 60 20 00 00 00 62 06 83 00 00 06 2b 06 01 05 05 02 06 0a 2b 06 01 04 01 82 37 02 02 0a a3 3e 30 3c a0 30 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102311; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102310; rev:9;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103389; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103385; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103390; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103386; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103391; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103387; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103392; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103388; rev:4;) Parser failed - skipping rule ^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"-"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"-"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9;) Parser failed - skipping rule ^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"-"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"-"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102466; rev:9;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103405; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103401; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103406; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103402; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103407; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103403; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103408; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103404; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102482; rev:10;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102483; rev:9;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102481; rev:10;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103268; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103264; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103269; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103265; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103270; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103266; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103271; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103267; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102949; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102939; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103038; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103030; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103046; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103054; rev:5;) Parser failed - skipping rule ^.{27} content:"000000000000000000000000000"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"000000000000000000000000000"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103022; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103040; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103032; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103048; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103056; rev:5;) Parser failed - skipping rule ^.{27} content:"000000000000000000000000000"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"000000000000000000000000000"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103024; rev:3;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103230; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103231; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103227; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103226; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103232; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103233; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103229; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103228; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103421; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103417; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103422; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103418; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103423; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103419; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103424; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103420; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103003; rev:7;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103252; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103248; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103253; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103249; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103254; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103250; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103255; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103251; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103126; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103127; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103123; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103122; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103128; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103129; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103125; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103124; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103110; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103106; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103111; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103107; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103112; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103097; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103108; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103113; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103109; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103172; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103168; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103173; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103169; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103174; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103170; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103175; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103171; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102934; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103210; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102478; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102476; rev:8;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103215; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103211; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103216; rev:4;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103212; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102479; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102477; rev:8;) Parser failed - skipping rule ^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74) content:"u"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; content:"u"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103217; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103213; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2100601 -------- Hex Payload Start ---------- 3a 3a 3a 3a 3a 3a 3a 3a 00 3a 3a 3a 3a 3a 3a 3a 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2100602 -------- Hex Payload Start ---------- 62 69 6e 00 62 69 6e 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100603 -------- Hex Payload Start ---------- 65 63 68 6f 20 22 20 2b 20 2b 20 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100606 -------- Hex Payload Start ---------- 72 6f 6f 74 00 72 6f 6f 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100604 -------- Hex Payload Start ---------- 2d 66 72 6f 6f 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100607 -------- Hex Payload Start ---------- 62 69 6e 00 62 69 6e 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100608 -------- Hex Payload Start ---------- 65 63 68 6f 20 22 2b 20 2b 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100609 -------- Hex Payload Start ---------- 2d 66 72 6f 6f 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100610 -------- Hex Payload Start ---------- 72 6f 6f 74 00 72 6f 6f 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100258 -------- Hex Payload Start ---------- 2e 2e 2f 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2100261 -------- Hex Payload Start ---------- cd 80 e8 d7 ff ff ff 2f 62 69 6e 2f 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101435 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 07 61 75 74 68 6f 72 73 20 04 62 69 6e 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100257 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 07 76 65 72 73 69 6f 6e 20 04 62 69 6e 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100507 -------- Hex Payload Start ---------- 41 44 4d 49 4e 49 53 54 52 41 54 4f 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101987 -------- Hex Payload Start ---------- 42 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101894 -------- Hex Payload Start ---------- 00 c0 05 08 00 c0 05 08 00 c0 05 08 00 c0 05 08 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101896 -------- Hex Payload Start ---------- ff ff 4b 41 44 4d 30 2e 30 41 00 00 fb 03 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101895 -------- Hex Payload Start ---------- 00 c0 05 08 00 c0 05 08 00 c0 05 08 00 c0 05 08 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101897 -------- Hex Payload Start ---------- ff ff 4b 41 44 4d 30 2e 30 41 00 00 fb 03 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100327 -------- Hex Payload Start ---------- 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2102549 -------- Hex Payload Start ---------- 2f 70 6c 75 67 69 6e 73 2f 66 72 61 6d 65 77 6f 72 6b 2f 73 63 72 69 70 74 2f 74 72 65 65 2e 78 6d 73 20 57 72 69 74 65 54 6f 46 69 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102547 -------- Hex Payload Start ---------- 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 4d 75 6c 74 69 70 61 72 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102548 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101860 -------- Hex Payload Start ---------- 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 4f 6d 46 6b 62 57 6c 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101861 -------- Hex Payload Start ---------- 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 59 57 52 74 61 57 34 36 59 57 52 74 61 57 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102047 -------- Hex Payload Start ---------- 23 6c 69 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101859 -------- Hex Payload Start ---------- 20 61 65 39 66 38 36 64 36 62 65 61 61 33 66 39 65 63 62 39 61 35 62 37 65 30 37 32 61 34 31 33 38 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101908; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:2101909; rev:13;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101916; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101914; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102184; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101912; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102255; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101965; rev:9;) Parser failed - skipping rule BASE_path=(?:(?:ht|f)tps?|data|php) uricontent:"BASE_path="; |---------------------| Building Rule: 2019524 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101334 -------- Hex Payload Start ---------- 2f 62 69 6e 2f 65 63 68 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2101350 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101649 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101877 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100953 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100952 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100951 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100958 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100959 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100961 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100965 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \.cmd\x22.*?\x26 uricontent:".cmd"&"; |---------------------| Building Rule: 2103193 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100977 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100987 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101487 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101401 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100994 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100975 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101256 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \.ida$ uricontent:".ida"; |---------------------| Building Rule: 2101242 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101243 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101245 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101244 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2102386 -------- Hex Payload Start ---------- 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 4e 65 67 6f 74 69 61 74 65 20 59 49 51 41 41 41 42 69 42 6f 4d 41 41 41 59 72 42 67 45 46 42 51 4b 67 67 67 42 54 4d 49 46 51 6f 41 34 77 44 41 59 4b 4b 77 59 42 42 41 47 43 4e 77 49 43 43 71 4d --------- Hex Payload End ----------- |---------------------| Building Rule: 2101661 -------- Hex Payload Start ---------- 63 6d 64 33 32 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101003 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101008 -------- Hex Payload Start ---------- 26 64 65 6c 2b 2f 73 2b 63 3a 5c 2a 2e 2a --------- Hex Payload End ----------- |---------------------| Building Rule: 2101009 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101013 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101016 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2100993 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101018 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101402 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101046 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101945 -------- Hex Payload Start ---------- 2f 2e 2e 25 32 35 35 63 2e 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; http_raw_uri; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:14;) Parser failed - skipping rule |---------------------| Building Rule: 2100982 -------- Hex Payload Start ---------- 2f 2e 2e 25 63 31 25 31 63 2e 2e 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; http_raw_uri; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:19;) Parser failed - skipping rule |---------------------| Building Rule: 2101129 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101071 -------- Hex Payload Start ---------- 2e 68 74 70 61 73 73 77 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101145 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101603 -------- Hex Payload Start ---------- 44 45 4c 45 54 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101874 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- username=[^&\x3b\r\n]{250} content:"username=##########################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; fast_pattern:only; http_uri; nocase; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; content:"username=##########################################################################################################################################################################################################################################################"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2101055 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101108 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101519 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101102 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2102585 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101403 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2101059 -------- Hex Payload Start ---------- 78 70 5f 66 69 6c 65 6c 69 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 100000428 -------- Hex Payload Start ---------- 47 45 54 20 25 2e 20 48 54 54 50 2f 31 2e --------- Hex Payload End ----------- ^EXPN[^\n]{255} content:"EXPN###############################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"|0a|"; within:255; content:"EXPN###############################################################################################################################################################################################################################################################"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:9;) Parser failed - skipping rule ^RCPT TO\x3a\s[^\n]{300} content:"RCPT TO: ############################################################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:!"|0a|"; within:300; isdataat:300; content:"RCPT TO: ############################################################################################################################################################################################################################################################################################################"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:17;) Parser failed - skipping rule ^expn\s+decode content:"expn decode"; |---------------------| Building Rule: 2100659 -------- Hex Payload Start ---------- 65 78 70 6e 20 64 65 63 6f 64 65 20 65 78 70 6e 20 64 65 63 6f 64 65 --------- Hex Payload End ----------- ^expn\s+root content:"expn root"; |---------------------| Building Rule: 2100660 -------- Hex Payload Start ---------- 65 78 70 6e 72 6f 6f 74 20 65 78 70 6e 20 72 6f 6f 74 --------- Hex Payload End ----------- ^vrfy\s+decode content:"vrfy decode"; |---------------------| Building Rule: 2100672 -------- Hex Payload Start ---------- 76 72 66 79 20 64 65 63 6f 64 65 20 76 72 66 79 20 64 65 63 6f 64 65 --------- Hex Payload End ----------- ^vrfy\s+root content:"vrfy root"; |---------------------| Building Rule: 2101446 -------- Hex Payload Start ---------- 76 72 66 79 20 72 6f 6f 74 20 76 72 66 79 20 72 6f 6f 74 --------- Hex Payload End ----------- TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256}) content:"TO_CHAR(SYSTIMESTAMP,'################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102699 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22 ]{1000}))) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102600 Parser failed - skipping rule ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512}) NOT IMPL not _simple(av) in REPEATING CODES content:"ALTER FILE '################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102697 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102618 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102610 Parser failed - skipping rule \((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) NOT IMPL not _simple(av) in REPEATING CODES content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102607 Parser failed - skipping rule |---------------------| Building Rule: 2101674 Parser failed - skipping rule CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512}) NOT IMPL not _simple(av) in REPEATING CODES content:"CREATE FILE '################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; content:"CREATE FILE '################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; classtype:attempted-user; sid:2102698; rev:3;) Parser failed - skipping rule \(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))) NOT IMPL not _simple(av) in REPEATING CODES content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102604 Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';logfile=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';logfile=>"; classtype:attempted-user; sid:2102678; rev:3;) Parser failed - skipping rule \(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}) content:"('###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102708 Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:4;) Parser failed - skipping rule \(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}) content:"('###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102711 Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';missing_rows_oname1=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';missing_rows_oname1=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';missing_rows_oname1=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';missing_rows_oname1=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:2;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; classtype:attempted-user; sid:2102674; rev:2;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; classtype:attempted-user; sid:2102599; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:2;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';type=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';type=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; classtype:attempted-user; sid:2102609; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gowner=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gowner=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';type=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';type=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';operation=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';operation=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';fname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';fname=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; classtype:attempted-user; sid:2102601; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';type=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';type=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gowner=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gowner=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';package_prefix=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';package_prefix=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2102576; rev:7;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gowner=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gowner=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';operation=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';operation=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';sname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})) NOT IMPL Groupref content:"A:='#################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern:only; content:"A:='#################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';privilege_type=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';privilege_type=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';privilege_type=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';privilege_type=>"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';userid=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';userid=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; classtype:attempted-user; sid:2102641; rev:5;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; classtype:attempted-user; sid:2102645; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; classtype:attempted-user; sid:2102647; rev:4;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';object_type=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';object_type=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; classtype:attempted-user; sid:2102676; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';privilege_type=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';privilege_type=>"; classtype:attempted-user; sid:2102675; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern:only; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';refresh_template_name=>"; classtype:attempted-user; sid:2102677; rev:3;) Parser failed - skipping rule \(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}) content:"('################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102623 Parser failed - skipping rule \(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}) content:"('################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102621 Parser failed - skipping rule \(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}) content:"('################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102622 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102602 Parser failed - skipping rule \((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) NOT IMPL not _simple(av) in REPEATING CODES content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102638 Parser failed - skipping rule \(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('',true,'########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102640 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102642 Parser failed - skipping rule \(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"(TIMESTAMP'#','########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102644 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102616 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102646 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102648 Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';layer=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';layer=>"; classtype:attempted-user; sid:2102683; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})) NOT IMPL Groupref content:"A:='################################################################################################################################';layer=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; content:"A:='################################################################################################################################';layer=>"; classtype:attempted-user; sid:2102682; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})) NOT IMPL Groupref content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';layer=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; content:"A:='################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';layer=>"; classtype:attempted-user; sid:2102681; rev:3;) Parser failed - skipping rule numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32}) content:"numtoyminterval(0,'################################"; |---------------------| Building Rule: 2102700 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102653 Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102634 Parser failed - skipping rule \(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) NOT IMPL not _simple(av) in REPEATING CODES content:"('','########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102632 Parser failed - skipping rule \(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))) content:"('','########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102630 Parser failed - skipping rule \((\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102628 Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3;) Parser failed - skipping rule \(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})) content:"('########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102636 Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:3;) Parser failed - skipping rule \(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}) content:"('###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; content:"('###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3;) Parser failed - skipping rule ((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})) NOT IMPL Groupref content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern:only; content:"A:='###################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################';gname=>"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:3;) Parser failed - skipping rule TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})) content:"TIME_ZONE='########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; content:"TIME_ZONE='########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3;) Parser failed - skipping rule \(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))) content:"('','########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2102625 Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2100692 -------- Hex Payload Start ---------- 39 20 d0 00 92 01 c2 00 52 00 55 00 39 20 ec 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100694 -------- Hex Payload Start ---------- 48 00 25 00 78 00 77 00 90 00 90 00 90 00 90 00 90 00 33 00 c0 00 50 00 68 00 2e 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100678 -------- Hex Payload Start ---------- 73 00 70 00 5f 00 64 00 65 00 6c 00 65 00 74 00 65 00 5f 00 61 00 6c 00 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100677 -------- Hex Payload Start ---------- 73 00 70 00 5f 00 70 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100676 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 00 70 00 5f 00 73 00 74 00 61 00 72 00 74 00 5f 00 6a 00 6f 00 62 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100681 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 00 70 00 5f 00 63 00 6d 00 64 00 73 00 68 00 65 00 6c 00 6c 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100690 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 00 70 00 5f 00 70 00 72 00 69 00 6e 00 74 00 73 00 74 00 61 00 74 00 65 00 6d 00 65 00 6e 00 74 00 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100689 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 00 70 00 5f 00 72 00 65 00 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100695 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 00 70 00 5f 00 73 00 70 00 72 00 69 00 6e 00 74 00 66 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100691 -------- Hex Payload Start ---------- 39 20 d0 00 92 01 c2 00 52 00 55 00 39 20 ec 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100693 -------- Hex Payload Start ---------- 48 00 25 00 78 00 77 00 90 00 90 00 90 00 90 00 90 00 33 00 c0 00 50 00 68 00 2e 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100685 -------- Hex Payload Start ---------- 73 00 70 00 5f 00 61 00 64 00 64 00 75 00 73 00 65 00 72 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100684 -------- Hex Payload Start ---------- 73 00 70 00 5f 00 64 00 65 00 6c 00 65 00 74 00 65 00 5f 00 61 00 6c 00 65 00 72 00 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100683 -------- Hex Payload Start ---------- 73 00 70 00 5f 00 70 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100673 -------- Hex Payload Start ---------- 73 00 70 00 5f 00 73 00 74 00 61 00 72 00 74 00 5f 00 6a 00 6f 00 62 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100687 -------- Hex Payload Start ---------- 78 00 70 00 5f 00 63 00 6d 00 64 00 73 00 68 00 65 00 6c 00 6c 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100686 -------- Hex Payload Start ---------- 78 00 70 00 5f 00 72 00 65 00 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101775 -------- Hex Payload Start ---------- 0a 00 00 01 85 04 00 00 80 72 6f 6f 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101776 -------- Hex Payload Start ---------- 0f 00 00 00 03 73 68 6f 77 20 64 61 74 61 62 61 73 65 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101759 -------- Hex Payload Start ---------- 78 00 70 00 5f 00 63 00 6d 00 64 00 73 00 68 00 65 00 6c 00 6c 00 --------- Hex Payload End ----------- T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T content:"TTYPROMPT"; |---------------------| Building Rule: 2103274 -------- Hex Payload Start ---------- ff fa 27 00 00 20 54 54 59 50 52 4f 4d 50 54 --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2102123 -------- Hex Payload Start ---------- 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 --------- Hex Payload End ----------- type threshold,track by_dst,count 10,seconds 60 |---------------------| Building Rule: 2102923 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 20 73 20 6d 00 00 c0 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101251 -------- Hex Payload Start ---------- 4c 6f 67 69 6e 20 69 6e 63 6f 72 72 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102010 -------- Hex Payload Start ---------- 66 72 65 65 28 29 3a 20 77 61 72 6e 69 6e 67 3a 20 63 68 75 6e 6b 20 69 73 20 61 6c 72 65 61 64 79 20 66 72 65 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102011 -------- Hex Payload Start ---------- 45 20 70 72 6f 74 6f 63 6f 6c 20 65 72 72 6f 72 3a 20 69 6e 76 61 6c 69 64 20 64 69 72 65 63 74 6f 72 79 20 73 79 6e 74 61 78 20 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2102013 -------- Hex Payload Start ---------- 63 76 73 20 73 65 72 76 65 72 3a 20 63 61 6e 6e 6f 74 20 66 69 6e 64 20 6d 6f 64 75 6c 65 20 65 72 72 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102009 -------- Hex Payload Start ---------- 65 72 72 6f 72 20 20 3a 20 6e 6f 20 73 75 63 68 20 72 65 70 6f 73 69 74 6f 72 79 20 49 20 48 41 54 45 20 59 4f 55 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102008 -------- Hex Payload Start ---------- 45 20 46 61 74 61 6c 20 65 72 72 6f 72 2c 20 61 62 6f 72 74 69 6e 67 2e 20 3a 20 6e 6f 20 73 75 63 68 20 75 73 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102012 -------- Hex Payload Start ---------- 45 20 70 72 6f 74 6f 63 6f 6c 20 65 72 72 6f 72 3a 20 52 6f 6f 74 20 72 65 71 75 65 73 74 20 6d 69 73 73 69 6e 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102317 -------- Hex Payload Start ---------- 45 20 63 76 73 20 73 65 72 76 65 72 3a 20 77 61 72 6e 69 6e 67 3a 20 63 61 6e 6e 6f 74 20 6d 61 6b 65 20 64 69 72 65 63 74 6f 72 79 20 43 56 53 20 69 6e 20 2f --------- Hex Payload End ----------- type threshold,track by_dst,count 10,seconds 60 |---------------------| Building Rule: 2102924 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 20 73 20 6d 00 00 c0 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102587 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 65 4d 75 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102104 -------- Hex Payload Start ---------- 75 73 65 72 6e 61 6d 65 20 74 6f 6f 20 6c 6f 6e 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100605 -------- Hex Payload Start ---------- 6c 6f 67 69 6e 20 69 6e 63 6f 72 72 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100611 -------- Hex Payload Start ---------- 01 72 6c 6f 67 69 6e 64 3a 20 50 65 72 6d 69 73 73 69 6f 6e 20 64 65 6e 69 65 64 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2100511 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 49 6e 76 61 6c 69 64 20 6c 6f 67 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2100512 -------- Hex Payload Start ---------- 49 6e 76 61 6c 69 64 20 6c 6f 67 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2101900 -------- Hex Payload Start ---------- 2a 47 4f 42 42 4c 45 2a --------- Hex Payload End ----------- |---------------------| Building Rule: 2101901 -------- Hex Payload Start ---------- 2a 47 4f 42 42 4c 45 2a --------- Hex Payload End ----------- |---------------------| Building Rule: 2101631 -------- Hex Payload Start ---------- 2a 02 20 20 20 20 00 17 00 06 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100876 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 60 |---------------------| Building Rule: 2101991 -------- Hex Payload Start ---------- 55 53 52 20 20 20 54 57 4e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101986 -------- Hex Payload Start ---------- 4d 53 47 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 6e 6d 73 67 72 70 32 70 49 4e 56 49 54 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101990 -------- Hex Payload Start ---------- 43 41 4c 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102586 -------- Hex Payload Start ---------- e3 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102455 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 1d --------- Hex Payload End ----------- |---------------------| Building Rule: 2102459 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 50 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102452 Error here depth! -------- Hex Payload Start ---------- 59 4d 53 47 20 20 20 20 20 20 00 12 --------- Hex Payload End ----------- ^\x3c(REQIMG|RVWCFG)\x3e content:"<REQIMG>"; |---------------------| Building Rule: 2102460 -------- Hex Payload Start ---------- 3c 52 20 3c 52 45 51 49 4d 47 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2100232 -------- Hex Payload Start ---------- 3c 73 74 72 65 61 6d 3a 73 74 72 65 61 6d 20 74 6f 3d 5c 22 67 6d 61 69 6c 2e 63 6f 6d 5c 22 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 300 |---------------------| Building Rule: 2100877 -------- Hex Payload Start ---------- 67 6f 6f 67 6c 65 2e 63 6f 6d 20 6a 61 62 62 65 72 3a 63 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100230 -------- Hex Payload Start ---------- 3c 73 74 72 65 61 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2100233 -------- Hex Payload Start ---------- 3c 6d 65 73 73 61 67 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101640 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 20 3a 2e 44 43 43 20 43 48 41 54 20 63 68 61 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101639 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 20 3a 2e 44 43 43 20 53 45 4e 44 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101729 -------- Hex Payload Start ---------- 4a 4f 49 4e 20 3a 20 23 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102181 -------- Hex Payload Start ---------- 13 42 69 74 54 6f 72 72 65 6e 74 20 70 72 6f 74 6f 63 6f 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2100541 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 49 43 51 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102180 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100557 -------- Hex Payload Start ---------- 47 4e 55 54 45 4c 4c 41 20 4f 4b --------- Hex Payload End ----------- |---------------------| Building Rule: 2101432 -------- Hex Payload Start ---------- 47 4e 55 54 45 4c 4c 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100540 -------- Hex Payload Start ---------- 4d 53 47 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; content:"403"; http_stat_code; classtype:attempted-recon; sid:2101201; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2100494 -------- Hex Payload Start ---------- 43 6f 6d 6d 61 6e 64 20 63 6f 6d 70 6c 65 74 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100495 -------- Hex Payload Start ---------- 42 61 64 20 63 6f 6d 6d 61 6e 64 20 6f 72 20 66 69 6c 65 6e 61 6d 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100497 -------- Hex Payload Start ---------- 31 20 66 69 6c 65 28 73 29 20 63 6f 70 69 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101886 -------- Hex Payload Start ---------- 75 69 64 3d 20 28 61 70 61 63 68 65 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101883 -------- Hex Payload Start ---------- 75 69 64 3d 20 28 6e 6f 62 6f 64 79 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101884 -------- Hex Payload Start ---------- 75 69 64 3d 20 28 77 65 62 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101666 -------- Hex Payload Start ---------- 49 6e 64 65 78 20 6f 66 20 2f 63 67 69 2d 62 69 6e 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2102275; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2100680 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4c 6f 67 69 6e 20 66 61 69 6c 65 64 20 66 6f 72 20 75 73 65 72 20 27 73 61 27 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2100688 -------- Hex Payload Start ---------- 4c 6f 67 69 6e 20 66 61 69 6c 65 64 20 66 6f 72 20 75 73 65 72 20 27 73 61 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100492 -------- Hex Payload Start ---------- 4c 6f 67 69 6e 20 66 61 69 6c 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100717 -------- Hex Payload Start ---------- 6e 6f 74 20 6f 6e 20 73 79 73 74 65 6d 20 63 6f 6e 73 6f 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100719 -------- Hex Payload Start ---------- 6c 6f 67 69 6e 3a 20 72 6f 6f 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101959; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101961; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2101950 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 01 20 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102015 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 02 20 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2102017; rev:13;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2101280 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 04 20 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102035; rev:7;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2101923 Error here depth! Error here within! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 00 01 86 a0 20 20 20 20 00 00 00 05 20 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101732; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101277; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2102003 -------- Hex Payload Start ---------- 04 20 81 f1 03 01 04 9b 81 f1 01 20 73 6f 63 6b 20 73 65 6e 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100516 -------- Hex Payload Start ---------- 2b 06 10 40 14 d1 02 19 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101892 -------- Hex Payload Start ---------- 20 20 20 20 20 04 01 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101413 -------- Hex Payload Start ---------- 70 72 69 76 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101411 -------- Hex Payload Start ---------- 70 75 62 6c 69 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100227 -------- Hex Payload Start ---------- 25 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101427 -------- Hex Payload Start ---------- 30 38 02 01 00 04 06 70 75 62 6c 69 63 a4 2b 06 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101867 -------- Hex Payload Start ---------- 00 01 00 02 00 01 00 --------- Hex Payload End ----------- ^Location\x3a[^\n]{128} content:"Location:################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; content:"Location:################################################################################################################################"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14;) Parser failed - skipping rule |---------------------| Building Rule: 2101384 -------- Hex Payload Start ---------- 4e 4f 54 49 46 59 20 2a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102413 Error here depth! Error here depth! Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 08 20 20 20 20 20 20 20 20 20 20 20 0c 20 00 04 --------- Hex Payload End ----------- ^a\x3D[^\n]{1000,} content:"a=########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2100223 -------- Hex Payload Start ---------- 3b 62 72 61 6e 63 68 3d 20 61 3d 20 61 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100256 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 07 61 75 74 68 6f 72 73 20 04 62 69 6e 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100252 -------- Hex Payload Start ---------- 20 20 09 80 00 00 00 01 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101616 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 07 76 65 72 73 69 6f 6e 20 04 62 69 6e 64 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101948 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 fc --------- Hex Payload End ----------- |---------------------| Building Rule: 2100566 -------- Hex Payload Start ---------- 53 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100315 -------- Hex Payload Start ---------- 5e b0 02 89 06 fe c8 89 46 04 b0 06 89 46 --------- Hex Payload End ----------- |---------------------| Building Rule: 2100319 -------- Hex Payload Start ---------- 41 39 30 c0 a8 01 01 2f 62 69 6e 2f 73 68 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101222 -------- Hex Payload Start ---------- 00 01 25 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2100518 -------- Hex Payload Start ---------- 00 02 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101907; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2101963; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101915; rev:10;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101913; rev:11;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102185; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102256; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101964; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2102043 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 05 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 01 01 00 00 18 --------- Hex Payload End ----------- |---------------------| Building Rule: 2102004 -------- Hex Payload Start ---------- 04 20 81 f1 03 01 04 9b 81 f1 20 73 6f 63 6b 20 73 65 6e 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101289 -------- Hex Payload Start ---------- 00 01 20 61 64 6d 69 6e 2e 64 6c 6c --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp any any -> any 69 (msg:"GPL TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:2101941; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2101441 -------- Hex Payload Start ---------- 00 01 20 6e 63 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101443 -------- Hex Payload Start ---------- 00 01 20 70 61 73 73 77 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2101442 -------- Hex Payload Start ---------- 00 01 20 73 68 61 64 6f 77 --------- Hex Payload End ----------- |---------------------| Building Rule: 2015671 -------- Hex Payload Start ---------- 0d 0a 0d 0a 25 50 44 46 2d --------- Hex Payload End ----------- app\x3D[^\x26\s\r\n]{257} content:"app=#################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/OvCgi/snmpviewer.exe"; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; content:"app=#################################################################################################################################################################################################################################################################"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:6;) Parser failed - skipping rule act\x3D[^\x26\s\r\n]{257} content:"act=#################################################################################################################################################################################################################################################################"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/OvCgi/snmpviewer.exe"; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; content:"act=#################################################################################################################################################################################################################################################################"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2011577 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \/getfile\.php\?r=-?\d+&p= uricontent:"/getfile.php?r=0&p="; |---------------------| Building Rule: 2011578 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:" Java/1.4."; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011584; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011581; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"101"; within:3; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; reference:url,www.oracle.com/technetwork/java/javase/2col/6u85-bugfixes-2298235.html; classtype:bad-unknown; sid:2011582; rev:38;) Parser failed - skipping rule id_livello\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"id_livello=0script"; |---------------------| Building Rule: 2011571 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011573 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011574 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011572 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"page=0script"; |---------------------| Building Rule: 2011566 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- input_file=\s*(ftps?|https?|php)\:\/ uricontent:"input_file=ftp:/"; |---------------------| Building Rule: 2011565 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- lang_path=\s*(ftps?|https?|php)\:\/ uricontent:"lang_path=ftp:/"; |---------------------| Building Rule: 2011564 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011563 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011562 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011557 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011558 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011559 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011560 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011561 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011554 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- target=\w*\; uricontent:"target=;"; |---------------------| Building Rule: 2011555 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- current_user_id=\s*(ftps?|https?|php)\:\/ uricontent:"current_user_id=ftp:/"; |---------------------| Building Rule: 2011552 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- current_user_id=\s*(ftps?|https?|php)\:\/ uricontent:"current_user_id=ftp:/"; |---------------------| Building Rule: 2011553 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011547 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011544 -------- Hex Payload Start ---------- 63 70 61 6b 2f 43 72 69 6d 65 70 61 63 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2011543 -------- Hex Payload Start ---------- 74 53 41 43 1d 02 00 00 00 00 00 0f 00 00 00 ae 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 ff ff 11 11 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011540 -------- Hex Payload Start ---------- 16 20 0b 20 55 04 0a 20 49 6e 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 20 4c 74 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011538 -------- Hex Payload Start ---------- 61 70 70 6c 65 74 43 6f 6d 70 6f 6e 65 6e 74 41 72 63 68 2e 44 79 6e 61 6d 69 63 54 72 65 65 41 70 70 6c 65 74 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d 50 41 52 41 4d --------- Hex Payload End ----------- \x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E) Parser failed - skipping rule \x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73) Parser failed - skipping rule |---------------------| Building Rule: 2011527 -------- Hex Payload Start ---------- 00 00 5c 00 72 00 65 00 63 00 79 00 63 00 6c 00 65 00 72 00 5c 00 2e 00 65 00 78 00 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011517 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 34 2e 30 31 3b 20 44 69 67 69 74 61 6c 20 41 6c 70 68 61 53 65 72 76 65 72 20 31 30 30 30 41 20 34 2f 32 33 33 3b 20 57 69 6e 64 6f 77 73 20 4e 54 3b 20 50 6f 77 65 72 65 64 20 42 79 20 36 34 2d 42 69 74 20 41 6c 70 68 61 20 50 72 6f 63 65 73 73 6f 72 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011518 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 34 2e 30 31 3b 20 44 69 67 69 74 61 6c 20 41 6c 70 68 61 53 65 72 76 65 72 20 31 30 30 30 41 20 34 2f 32 33 33 3b 20 57 69 6e 64 6f 77 73 20 4e 54 3b 20 50 6f 77 65 72 65 64 20 42 79 20 36 34 2d 42 69 74 20 41 6c 70 68 61 20 50 72 6f 63 65 73 73 6f 72 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011511 -------- Hex Payload Start ---------- 47 45 54 20 2f 63 6f 6e 66 69 67 4e 74 6f 70 2e 68 74 6d 6c 20 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 42 61 73 69 63 3d 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011512 -------- Hex Payload Start ---------- 47 45 54 20 2f 63 6f 6e 66 69 67 4e 74 6f 70 2e 68 74 6d 6c 20 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 42 61 73 69 63 3d 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011499 -------- Hex Payload Start ---------- 50 44 46 2d 2e 73 77 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011500 -------- Hex Payload Start ---------- 2c e8 88 f0 ff 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011502 -------- Hex Payload Start ---------- 50 4f 53 54 20 3c 21 44 4f 43 54 59 50 45 3c 21 45 4e 54 49 54 59 3c 73 6f 61 70 65 6e 76 3a 45 6e 76 65 6c 6f 70 65 3c 6e 73 31 3a 55 73 65 72 6e 61 6d 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011503 -------- Hex Payload Start ---------- 3c 73 6f 61 70 3a 66 61 75 6c 74 73 74 72 69 6e 67 3e 55 6e 6b 6e 6f 77 6e 20 75 73 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011504 -------- Hex Payload Start ---------- 50 44 46 2d 20 2e 72 65 70 6c 61 63 65 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011505 -------- Hex Payload Start ---------- 50 44 46 2d 2f 53 75 62 54 79 70 65 20 66 6c 61 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011506 -------- Hex Payload Start ---------- 50 44 46 2d 65 76 61 6c 28 --------- Hex Payload End ----------- \x3C\x3C[^>]*\x2FEmbeddedFile content:"<</EmbeddedFile"; |---------------------| Building Rule: 2011507 -------- Hex Payload Start ---------- 6f 62 6a 20 3c 3c 2f 45 6d 62 65 64 64 65 64 46 69 6c 65 20 3c 3c 2f 45 6d 62 65 64 64 65 64 46 69 6c 65 --------- Hex Payload End ----------- type limit, track by_src,count 1, seconds 60 |---------------------| Building Rule: 2011497 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 48 79 64 72 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011489 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011485 -------- Hex Payload Start ---------- 46 4c 56 6f 6e 4d 65 74 61 44 61 74 61 20 07 50 75 08 --------- Hex Payload End ----------- \?uid=[0-9a-f]{40}&action=\w+&v=[\w.]+&b=\d+$ uricontent:"?uid=0000000000000000000000000000000000000000&action=A&v=A&b=0"; |---------------------| Building Rule: 2011414 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B content:"<OBJECT classid=clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; |---------------------| Building Rule: 2011412 -------- Hex Payload Start ---------- 63 6c 73 69 64 30 32 42 46 32 35 44 35 2d 38 43 31 37 2d 34 42 32 33 2d 42 43 38 30 2d 44 33 34 38 38 41 42 44 44 43 36 42 20 5f 4d 61 72 73 68 61 6c 65 64 5f 70 55 6e 6b 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 30 32 42 46 32 35 44 35 2d 38 43 31 37 2d 34 42 32 33 2d 42 43 38 30 2d 44 33 34 38 38 41 42 44 44 43 36 42 --------- Hex Payload End ----------- fingerprint=\w*\; uricontent:"fingerprint=;"; |---------------------| Building Rule: 2011413 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011409 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 63 6f 02 63 63 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011410 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 63 7a 02 63 63 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011389 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 77 33 61 66 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011390 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 63 69 72 74 2e 6e 65 74 0d 0a --------- Hex Payload End ----------- class_path=\s*(ftps?|https?|php)\:\/ uricontent:"class_path=ftp:/"; |---------------------| Building Rule: 2011377 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011378 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011794 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011380 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011381 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011382 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"url=0script"; |---------------------| Building Rule: 2011383 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- fm_includes_special=\s*(ftps?|https?|php)\:\/ uricontent:"fm_includes_special=ftp:/"; |---------------------| Building Rule: 2011384 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011385 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; content:"POST"; http_method; nocase; content:"[System Process]|0a|"; http_client_body; depth:17; classtype:trojan-activity; sid:2011364; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2011365 -------- Hex Payload Start ---------- 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011357 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011311 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011312 -------- Hex Payload Start ---------- 50 4f 53 54 20 48 6f 73 74 3a 20 68 69 64 65 2d 6d 79 2d 69 70 2e 63 6f 6d 20 63 6d 64 3d 20 76 65 72 3d 20 68 63 6f 64 65 3d 20 70 72 6f 64 75 63 74 3d 20 79 65 61 72 3d 20 78 68 63 6f 64 65 3d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST"; http_method; content:".php"; http_uri; nocase; content:"f="; http_client_body; content:"&a="; http_client_body; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l="; http_client_body; content:"&ck="; http_client_body; content:"&c_fb="; http_client_body; content:"&c_ms="; http_client_body; content:"&c_hi="; http_client_body; content:"&c_be="; http_client_body; content:"&c_fr="; http_client_body; content:"&c_yb="; http_client_body; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:trojan-activity; sid:2009156; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2011279 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 3b 20 4d 61 64 65 20 77 69 74 68 20 77 77 77 2e 62 72 6f 77 73 65 72 62 6f 62 2e 63 6f 6d 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011278 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011281 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 50 68 6f 65 6e 69 78 20 45 78 70 6c 6f 69 74 27 73 20 4b 69 74 20 2d 20 4c 6f 67 20 49 6e 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011280 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 50 68 6f 65 6e 69 78 20 45 78 70 6c 6f 69 74 27 73 20 4b 69 74 20 2d 20 4c 6f 67 20 49 6e 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011282 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 63 72 61 70 65 42 6f 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011283 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 54 41 4c 57 69 6e 49 6e 65 74 48 54 54 50 43 6c 69 65 6e 74 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011293 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 47 61 62 50 61 74 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011294 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 26 76 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011289 -------- Hex Payload Start ---------- 47 6f 6f 74 6b 69 74 20 69 66 72 61 6d 65 72 20 63 6f 6d 70 6f 6e 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011290 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 57 69 6e 33 32 3b 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011287 -------- Hex Payload Start ---------- 3c 61 63 63 3e 3c 6c 6f 67 69 6e 3e 3c 2f 6c 6f 67 69 6e 3e 3c 70 61 73 73 3e 3c 2f 70 61 73 73 3e 3c 73 65 72 76 3e 3c 2f 73 65 72 76 3e 3c 70 6f 72 74 3e 32 31 3c 2f 70 6f 72 74 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011297 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4b 52 4d 41 4b --------- Hex Payload End ----------- |---------------------| Building Rule: 2011295 -------- Hex Payload Start ---------- 18 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011300 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; nocase; http_uri; content:"cache="; nocase; content:"OvJavaLocale="; nocase; within:15; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:4;) Parser failed - skipping rule \x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe Parser failed - skipping rule |---------------------| Building Rule: 2011334 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 5c 4e 65 74 4c 6f 67 6f 6d 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011335 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \?[0-9a-f]{5,}=\d+&id=\d+&v=\d+$ uricontent:"?00000=0&id=0&v=0"; |---------------------| Building Rule: 2011336 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/\?rnd=\d+&id=\d+$ uricontent:"/?rnd=0&id=0"; |---------------------| Building Rule: 2011337 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/\?id(\d+)?&rnd=\d+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/?id&rnd=0"; |---------------------| Building Rule: 2011338 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; classtype:trojan-activity; sid:2011341; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2011343 -------- Hex Payload Start ---------- 3c 73 70 61 6e 20 69 64 3d 22 6c 6f 61 64 73 70 61 6e 22 3e 49 6e 69 74 69 61 6c 69 7a 69 6e 67 20 56 69 72 75 73 20 50 72 6f 74 65 63 74 69 6f 6e 20 53 79 73 74 65 6d 2e 2e 2e 3c 2f 73 70 61 6e 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011348 Error here within! -------- Hex Payload Start ---------- 50 4f 53 54 20 69 64 3d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 25 32 36 6e 70 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:5; within:5; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011350; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2011355 -------- Hex Payload Start ---------- 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 22 3e 3c --------- Hex Payload End ----------- |---------------------| Building Rule: 2011358 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 6c 6f 63 61 6c 65 3d 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011359 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 6c 6f 63 61 6c 65 3d 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011360 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 6c 6f 63 61 6c 65 3d 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011362 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 6c 6f 63 61 6c 65 3d 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- cmd=give&pcname=.+&status=\d+$ uricontent:"cmd=give&pcname=0&status=0"; |---------------------| Building Rule: 2011370 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011371 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011374 -------- Hex Payload Start ---------- 2e 63 6f 2e 63 63 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011375 -------- Hex Payload Start ---------- 2e 63 7a 2e 63 63 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011387 -------- Hex Payload Start ---------- 20 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011391 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 0d 0a 63 6f 6d 6d 61 6e 64 3d 20 26 72 65 73 75 6c 74 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011392 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 68 74 74 70 2d 67 65 74 2d 64 65 6d 6f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011393 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 36 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011396 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011397 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011395 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011398 -------- Hex Payload Start ---------- 00 10 00 00 68 74 74 70 3a 2f 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011399 -------- Hex Payload Start ---------- 00 00 00 04 68 74 74 70 3a 2f 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011400 -------- Hex Payload Start ---------- 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<?php"; nocase; http_client_body; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2011419 -------- Hex Payload Start ---------- 73 65 63 74 6f 72 2e 68 64 64 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011422 -------- Hex Payload Start ---------- 4f 50 54 49 4f 4e 53 20 63 63 78 6c 6c 72 6c 66 6c 67 69 67 22 3c 73 69 70 3a 31 30 30 --------- Hex Payload End ----------- filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"filter=0script"; |---------------------| Building Rule: 2011423 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011424 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011426 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011427 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011428 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011429 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011450 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011451 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"date=0script"; |---------------------| Building Rule: 2011452 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011453 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 2e 2f --------- Hex Payload End ----------- db_servertype=\s*(ftps?|https?|php)\:\/ uricontent:"db_servertype=ftp:/"; |---------------------| Building Rule: 2011454 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011456 -------- Hex Payload Start ---------- 50 52 4f 50 46 49 4e 44 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET_PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2011473 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011480 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 54 4f 52 4d 44 44 4f 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011481 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 41 4d 44 44 4f 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011482 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6b 61 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011483 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 54 44 44 4f 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011484 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 20 61 6d 20 64 64 6f 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011487 -------- Hex Payload Start ---------- 55 53 45 52 20 20 0a 25 --------- Hex Payload End ----------- ^USER [^\r\n]*?\x22 content:"USER ""; |---------------------| Building Rule: 2011488 -------- Hex Payload Start ---------- 55 53 45 52 20 22 20 55 53 45 52 20 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011490 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011491 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011492 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2010881 -------- Hex Payload Start ---------- 50 44 46 2d 75 6e 65 73 63 61 70 65 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011493 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011494 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011791 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \.php\?id=\d+&magic=(-)?\d+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?id=0&magic=0"; |---------------------| Building Rule: 2011769 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011519 -------- Hex Payload Start ---------- f2 3d 8d 23 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011520 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e --------- Hex Payload End ----------- port=[1-9]{1,5} uricontent:"port=1"; |---------------------| Building Rule: 2011523 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011575 -------- Hex Payload Start ---------- 40 e8 d4 f1 ff 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011470 -------- Hex Payload Start ---------- 20 0d 0a 0d 0a 66 74 70 5f 75 72 69 5f 30 3d 20 26 66 74 70 5f 73 6f 75 72 63 65 5f 30 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011471 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 0d 0a 0d 0a 67 75 69 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011472 -------- Hex Payload Start ---------- 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 63 75 72 72 65 6e 74 53 74 79 6c 65 2e 66 6f 6e 74 46 61 6d 69 6c 79 2e 69 6e 64 65 78 4f 66 28 22 61 75 74 68 65 6e 74 69 63 69 74 79 5f 74 6f 6b 65 6e --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2011585 -------- Hex Payload Start ---------- 47 45 54 20 5e 26 26 25 24 25 24 5e 25 24 23 5e 26 2a 2a 28 2a 28 28 26 2a 5e 25 24 23 23 24 25 5e 26 2a 28 2a 26 5e 25 24 25 5e 26 2a 2e 68 74 6d --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2011767 -------- Hex Payload Start ---------- 47 45 54 20 5e 26 26 25 24 25 24 5e 25 24 23 5e 26 2a 2a 28 2a 28 28 26 2a 5e 25 24 23 23 24 25 5e 26 2a 28 2a 26 5e 25 24 25 5e 26 2a 2e 68 74 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011588 -------- Hex Payload Start ---------- 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 43 6c 6f 73 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 0d 0a 48 6f 73 74 3a 20 20 2e 20 3a 20 6e 6f 2d 63 61 63 68 65 20 20 0a 20 6d 20 2e 20 2e --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D content:"<OBJECT classid=clsid:24DC3975-09BF-4231-8655-3EE71F43837D"; |---------------------| Building Rule: 2011589 -------- Hex Payload Start ---------- 32 34 44 43 33 39 37 35 2d 30 39 42 46 2d 34 32 33 31 2d 38 36 35 35 2d 33 45 45 37 31 46 34 33 38 33 37 44 20 2e 43 75 73 74 6f 6d 43 6f 6d 70 6f 73 69 74 6f 72 43 6c 61 73 73 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 32 34 44 43 33 39 37 35 2d 30 39 42 46 2d 34 32 33 31 2d 38 36 35 35 2d 33 45 45 37 31 46 34 33 38 33 37 44 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011590 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 4d 53 56 69 64 43 74 6c 4c 69 62 2e 4d 53 56 69 64 56 4d 52 39 20 2e 43 75 73 74 6f 6d 43 6f 6d 70 6f 73 69 74 6f 72 43 6c 61 73 73 --------- Hex Payload End ----------- \/\?p=p52dcW[A-Za-z]{4} uricontent:"/?p=p52dcWAAAA"; |---------------------| Building Rule: 2011591 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011592 -------- Hex Payload Start ---------- 00 00 00 04 66 74 70 3a 2f 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011797 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN carberp check in"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/set/first.html"; http_uri; content:"id="; http_client_body; content:"os="; http_client_body; content:"plist="; http_client_body; classtype:trojan-activity; sid:2011798; rev:3;) Parser failed - skipping rule \/task.php\?id=[^&]{32,64}&task=\d uricontent:"/task0php?id=################################&task=0"; |---------------------| Building Rule: 2011799 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011800 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 4d 6f 7a 69 6c 6c 61 20 2e 20 2e 20 72 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011801 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 43 4c 53 49 44 31 32 35 43 33 46 30 42 2d 31 30 37 33 2d 34 37 38 33 2d 39 41 37 42 2d 44 33 33 45 35 34 32 36 39 43 41 35 20 49 6e 69 74 4c 69 63 65 6e 4b 65 79 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011802 !SMTP_SERVERS SELF>SRC ERROR: SMTP_SERVERS 10.0.0.123 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 09 6c 6f 63 61 6c 68 6f 73 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"ScriptResource.axd"; http_uri; nocase; content:!"&t="; http_uri; nocase; content:!"&amp|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"/WebResource.axd"; http_uri; nocase; content:!"&t="; http_uri; nocase; content:!"&amp|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:6;) Parser failed - skipping rule type limit, count 1, seconds 30, track by_src |---------------------| Building Rule: 2011808 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 6e 73 70 61 74 68 20 5b 70 61 74 68 20 64 69 73 63 6c 6f 73 75 72 65 20 66 69 6e 64 65 72 --------- Hex Payload End ----------- type limit, count 1, seconds 30, track by_src |---------------------| Building Rule: 2011809 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011813 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011465 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2011820 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011821 -------- Hex Payload Start ---------- 55 73 65 72 2d 61 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 72 75 3b 20 72 76 3a 31 2e 38 2e 31 2e 31 29 20 47 65 63 6b 6f 2f 32 30 30 36 31 32 30 34 20 46 69 72 65 66 6f 78 2f 32 2e 30 2e 30 2e 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011822 -------- Hex Payload Start ---------- 55 73 65 72 2d 61 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 72 75 3b 20 72 76 3a 31 2e 38 2e 31 2e 31 29 20 47 65 63 6b 6f 2f 32 30 30 36 31 32 30 34 20 46 69 72 65 66 6f 78 2f 32 2e 30 2e 30 2e 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011823 -------- Hex Payload Start ---------- 55 73 65 72 2d 61 67 65 6e 74 3a 20 4f 70 65 72 61 2f 39 2e 30 32 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 55 3b 20 72 75 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011824 -------- Hex Payload Start ---------- 55 73 65 72 2d 61 67 65 6e 74 3a 20 4f 70 65 72 61 2f 39 2e 30 32 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 55 3b 20 72 75 29 --------- Hex Payload End ----------- news\/\?s=\d{1,6}$ uricontent:"news/?s=0"; |---------------------| Building Rule: 2011825 -------- Hex Payload Start ---------- 47 45 54 20 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011827 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011828 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011829 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011830 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- site_path=\s*(ftps?|https?|php)\:\/ uricontent:"site_path=ftp:/"; |---------------------| Building Rule: 2011831 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011832 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011833 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011834 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011835 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011836 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- mosConfig_live_site=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_live_site=ftp:/"; |---------------------| Building Rule: 2011837 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011838 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011839 -------- Hex Payload Start ---------- 47 45 54 20 20 61 6c 62 75 6d 5f 75 73 65 72 5f 69 64 3d 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011840 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011841 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011842 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011843 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2011844 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"intPassedLocationID=0script"; |---------------------| Building Rule: 2011845 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011846 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- task=\s*(ftps?|https?|php)\:\/ uricontent:"task=ftp:/"; |---------------------| Building Rule: 2011847 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- \.php\?ver=\d\&cver=\d\&id=\d{5}$ uricontent:".php?ver=0&cver=0&id=00000"; |---------------------| Building Rule: 2011848 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011849 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011850 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011851 -------- Hex Payload Start ---------- 0d 0a 0d 0a 6e 6f 20 74 61 73 6b 73 --------- Hex Payload End ----------- bn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"bn=0script"; |---------------------| Building Rule: 2011852 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011856 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- (\?|&)guid=[^!&]+?\! uricontent:"?guid=#!"; |---------------------| Building Rule: 2011857 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- processName\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) content:"processName=0script"; |---------------------| Building Rule: 2011860 -------- Hex Payload Start ---------- 2f 42 50 45 4c 43 6f 6e 73 6f 6c 65 2f 64 65 66 61 75 6c 74 2f 70 72 6f 63 65 73 73 4c 6f 67 2e 6a 73 70 20 70 72 6f 63 65 73 73 4e 61 6d 65 3d 20 70 72 6f 63 65 73 73 4e 61 6d 65 3d 30 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011861 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011862 -------- Hex Payload Start ---------- 50 4f 53 54 20 41 63 63 6f 75 6e 74 53 75 6d 6d 61 72 79 75 73 65 72 69 64 3a 70 61 73 73 77 6f 72 64 3a 73 63 72 65 65 6e 69 64 3a 6f 72 69 67 69 6e 61 74 69 6f 6e 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2011865 -------- Hex Payload Start ---------- 50 44 46 2d 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 --------- Hex Payload End ----------- (a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash content:"application/x-shockwave-flash"; |---------------------| Building Rule: 2011866 -------- Hex Payload Start ---------- 50 44 46 2d 78 2d 73 68 6f 63 6b 77 61 76 65 2d 66 6c 61 73 68 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 73 68 6f 63 6b 77 61 76 65 2d 66 6c 61 73 68 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0 content:"<OBJECT classid=clsid:15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; |---------------------| Building Rule: 2011867 -------- Hex Payload Start ---------- 63 6c 73 69 64 31 35 44 42 43 33 46 39 2d 39 46 30 41 2d 34 37 32 45 2d 38 30 36 31 2d 30 34 33 44 39 43 45 43 35 32 46 30 20 65 78 74 53 65 74 4f 77 6e 65 72 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 31 35 44 42 43 33 46 39 2d 39 46 30 41 2d 34 37 32 45 2d 38 30 36 31 2d 30 34 33 44 39 43 45 43 35 32 46 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011868 -------- Hex Payload Start ---------- 50 44 46 2d 61 70 70 2e 73 65 74 54 69 6d 65 4f 75 74 28 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6 content:"<OBJECT classid=clsid:11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; |---------------------| Building Rule: 2011869 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 43 4c 53 49 44 31 31 45 37 44 41 34 35 2d 42 35 36 44 2d 34 30 37 38 2d 38 39 46 36 2d 44 33 44 36 35 31 45 43 34 43 44 36 20 2e 44 65 62 75 67 54 72 61 63 65 46 69 6c 65 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 31 31 45 37 44 41 34 35 2d 42 35 36 44 2d 34 30 37 38 2d 38 39 46 36 2d 44 33 44 36 35 31 45 43 34 43 44 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011870 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 53 6f 66 74 65 6b 41 54 4c 2e 43 42 61 72 63 6f 64 65 20 2e 44 65 62 75 67 54 72 61 63 65 46 69 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011871 -------- Hex Payload Start ---------- 20 63 6f 64 65 53 75 62 6d 69 73 73 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011872 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 62 6f 74 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011875 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011876 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011877 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011878 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011879 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- cat=\s*(ftps?|https?|php)\x3a\/ uricontent:"cat=ftp:/"; |---------------------| Building Rule: 2011880 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011882 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011883 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011884 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2014756 Error here within! -------- Hex Payload Start ---------- 16 03 55 04 0a 20 0d 4c 6f 67 4d 65 49 6e 2c 20 49 6e 63 2e 20 2e 61 70 70 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2011886 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- type limit, track by_src,count 1, seconds 60 |---------------------| Building Rule: 2011887 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 65 68 20 46 6f 72 65 73 74 20 4c 6f 62 73 74 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011891 -------- Hex Payload Start ---------- 74 61 62 6c 65 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 20 63 6c 69 70 3a 72 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011892 -------- Hex Payload Start ---------- 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 63 6c 69 70 3a 20 72 65 63 74 28 30 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011893 -------- Hex Payload Start ---------- 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 6f 62 6a 29 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 73 75 76 22 29 2e 69 6e 6e 65 72 48 54 4d 4c 20 6e 65 77 20 41 72 72 61 79 28 --------- Hex Payload End ----------- ^\/[a-z0-9+\/=]{16,400}$ uricontent:"/aaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2011894 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 48 6f 73 74 3a 20 3a 20 6e 6f 2d 63 61 63 68 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011906 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- (this|doc)\x2EprintSeps content:"this.printSeps"; |---------------------| Building Rule: 2011910 -------- Hex Payload Start ---------- 2e 70 72 69 6e 74 53 65 70 73 20 74 68 69 73 2e 70 72 69 6e 74 53 65 70 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011911 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 65 6d 70 74 79 0c 65 78 70 6c 6f 72 65 72 5f 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported type limit, track by_src,count 1, seconds 60 |---------------------| Building Rule: 2011914 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, track by_src,count 1, seconds 60 |---------------------| Building Rule: 2011915 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 74 44 6f 74 50 77 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2011917 -------- Hex Payload Start ---------- 28 6e 61 76 69 67 61 74 6f 72 2e 61 70 70 56 65 72 73 69 6f 6e 2e 69 6e 64 65 78 6f 66 28 22 4d 61 63 22 29 21 3d 2d 31 29 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011921 -------- Hex Payload Start ---------- 2e 68 64 64 5f 69 63 6f 6e 20 67 20 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011922 -------- Hex Payload Start ---------- 65 6e 63 72 79 70 74 3a 20 66 75 6e 63 74 69 6f 6e 28 6d 2c 20 65 2c 20 6e 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011924 -------- Hex Payload Start ---------- 29 20 48 61 76 69 6a 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 --------- Hex Payload End ----------- \.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d uricontent:".php?id=aaaaaaaaaaaaaaax=0os=0n=0"; |---------------------| Building Rule: 2011925 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011926 -------- Hex Payload Start ---------- 29 20 58 2d 54 61 67 2f --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2011935 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011936 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- mailform_1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"mailform_1=0script"; |---------------------| Building Rule: 2011927 -------- Hex Payload Start ---------- 20 20 20 20 6d 61 69 6c 66 6f 72 6d 5f 31 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011928 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2011929 -------- Hex Payload Start ---------- 47 45 54 20 20 6d 6f 73 43 6f 6e 66 69 67 5f 61 62 73 6f 6c 75 74 65 5f 70 61 74 68 3d --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011930 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011931 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011932 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011933 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011934 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011938 -------- Hex Payload Start ---------- 20 48 54 54 50 2f 31 2e 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 20 48 6f 73 74 3a 20 20 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011939 -------- Hex Payload Start ---------- 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 20 48 6f 73 74 3a 20 20 2e 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011940 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011941 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- gid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"gid=0script"; |---------------------| Building Rule: 2011942 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2011943 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2011944 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2011945 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2011946 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2011947 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- theme_file=\s*(ftps?|https?|php)\:\/ uricontent:"theme_file=ftp:/"; |---------------------| Building Rule: 2011948 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- lang_file=\s*(ftps?|https?|php)\x3a\/ uricontent:"lang_file=ftp:/"; |---------------------| Building Rule: 2011949 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- theme_file=\s*(ftps?|https?|php)\x3a\/ uricontent:"theme_file=ftp:/"; |---------------------| Building Rule: 2011950 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- ^KEEPALIVE\x7c?\d content:"KEEPALIVE0"; |---------------------| Building Rule: 2013090 -------- Hex Payload Start ---------- 4b 45 45 50 41 4c 49 56 45 20 4b 45 45 50 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011967 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/html\/license_[0-9A-F]{550,}\.html uricontent:"/html/license_0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.html"; |---------------------| Building Rule: 2011969 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- type limit, track by_src,count 1,seconds 60 |---------------------| Building Rule: 2011974 -------- Hex Payload Start ---------- 47 45 54 20 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a --------- Hex Payload End ----------- type limit, track by_src,count 1, seconds 60 |---------------------| Building Rule: 2011975 -------- Hex Payload Start ---------- 58 2d 52 61 74 70 72 6f 78 79 2d 4c 6f 6f 70 3a 20 --------- Hex Payload End ----------- \x64\x12\x54\x6a[\x20\x10\x02]\x00\x00\x00\xf4\x1f\x00\x00 content:"d#Tj ######"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"ET SCADA RealWin SCADA System Buffer Overflow"; flow:established,to_server; content:"|64 12 54 6a|"; depth:4; content:"|00 00 00 f4 1f 00 00|"; distance:1; within:7; isdataat:220; content:!"|0a|"; distance:0; content:"d#Tj ######"; reference:url,www.exploit-db.com/exploits/15337/; classtype:attempted-dos; sid:2011976; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2011978 -------- Hex Payload Start ---------- 6d 61 72 67 69 6e 77 69 64 74 68 3d 5c 22 30 22 5c 20 6d 61 72 67 69 6e 68 65 69 67 68 74 3d 5c 22 30 22 5c 20 68 73 70 61 63 65 3d 5c 22 30 22 5c 20 76 73 70 61 63 65 3d 5c 22 30 22 5c 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 5c 22 30 22 5c 20 73 63 72 6f 6c 6c 69 6e 67 3d 5c 22 30 22 5c 20 62 6f 72 64 65 72 63 6f 6c 6f 72 3d 5c 22 23 30 30 30 30 30 30 5c 22 3e 3c 2f 49 46 52 41 4d 45 3e 22 29 3b 7d --------- Hex Payload End ----------- |---------------------| Building Rule: 2011979 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 65 64 45 58 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2011982 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2011987 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- adobe-flash\.v\.\d{5}\.exe uricontent:"adobe-flash.v.00000.exe"; |---------------------| Building Rule: 2011989 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011991 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 79 73 74 65 6d 70 61 63 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2011994 -------- Hex Payload Start ---------- 48 45 4c 50 20 41 43 49 44 42 49 54 43 48 45 5a --------- Hex Payload End ----------- \x2Finvoice\x2Escr$ uricontent:"/invoice.scr"; |---------------------| Building Rule: 2011995 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \.php\?uid=\d{5,6}&ver=[^&]+(&traff=\d+)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?uid=00000&ver=#"; |---------------------| Building Rule: 2011996 -------- Hex Payload Start ---------- 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 64 61 72 6b 6e 65 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2011999 -------- Hex Payload Start ---------- 50 4f 53 54 20 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 4d 41 43 22 20 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 49 50 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012000 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012001 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012002 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012003 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012004 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012005 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- GLOBALS\[MM_ROOT_DIRECTORY\]=\s*(ftps?|https?|php)\x3a\/ uricontent:"GLOBALS[MM_ROOT_DIRECTORY]=ftp:/"; |---------------------| Building Rule: 2012006 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- skin_file=\s*(ftps?|https?|php)\x3a\/ uricontent:"skin_file=ftp:/"; |---------------------| Building Rule: 2012007 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012008 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"i=0script"; |---------------------| Building Rule: 2012009 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012010 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- fm_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"fm_id=0script"; |---------------------| Building Rule: 2012011 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012012 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2012013 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012014 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- doc_root=\s*(ftps?|https?|php)\:\/ uricontent:"doc_root=ftp:/"; |---------------------| Building Rule: 2012015 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012016 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012017 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012018 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012019 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012020 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2012021 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012022 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- HomeCurrent_Date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"HomeCurrent_Date=0script"; |---------------------| Building Rule: 2012023 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- newlangsel=\s*(ftps?|https?|php)\x3a\/ uricontent:"newlangsel=ftp:/"; |---------------------| Building Rule: 2012024 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012025 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e 2e 2f 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012026 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012027 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012028 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012029 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012030 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- ABTPV_BLOQUE_CENTRAL=\s*(ftps?|https?|php)\:\/ uricontent:"ABTPV_BLOQUE_CENTRAL=ftp:/"; |---------------------| Building Rule: 2012031 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012032 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012033 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012034 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012035 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012036 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012037 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012038 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2012039 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- idart\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"idart=0script"; |---------------------| Building Rule: 2012040 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012041 -------- Hex Payload Start ---------- 25 35 33 25 37 34 25 37 32 25 36 39 25 36 65 25 36 37 25 32 65 25 36 36 25 37 32 25 36 66 25 36 64 25 34 33 25 36 38 25 36 31 25 37 32 25 34 33 25 36 66 25 36 34 25 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012042 -------- Hex Payload Start ---------- 25 75 35 33 25 75 37 34 25 75 37 32 25 75 36 39 25 75 36 65 25 75 36 37 25 75 32 65 25 75 36 36 25 75 37 32 25 75 36 66 25 75 36 64 25 75 34 33 25 75 36 38 25 75 36 31 25 75 37 32 25 75 34 33 25 75 36 66 25 75 36 34 25 75 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012043 -------- Hex Payload Start ---------- 25 36 33 25 36 38 25 36 31 25 37 32 25 34 33 25 36 66 25 36 34 25 36 35 25 34 31 25 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012044 -------- Hex Payload Start ---------- 25 75 36 33 25 75 36 38 25 75 36 31 25 75 37 32 25 75 34 33 25 75 36 66 25 75 36 34 25 75 36 35 25 75 34 31 25 75 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012045 -------- Hex Payload Start ---------- 50 4f 53 54 20 65 78 65 63 3a 61 72 67 73 3a 55 70 67 72 61 64 65 54 6f 6f 6c 73 5f 54 61 73 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2012051 -------- Hex Payload Start ---------- 00 02 00 2e --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\> content:"<objectclassid="clsid:4E3770F4-1937-4F05-B9A2-959BE7321909>"; |---------------------| Building Rule: 2012052 -------- Hex Payload Start ---------- 63 6c 73 69 64 20 34 45 33 37 37 30 46 34 2d 31 39 33 37 2d 34 46 30 35 2d 42 39 41 32 2d 39 35 39 42 45 37 33 32 31 39 30 39 22 49 63 6f 6e 49 6e 64 65 78 22 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 34 45 33 37 37 30 46 34 2d 31 39 33 37 2d 34 46 30 35 2d 42 39 41 32 2d 39 35 39 42 45 37 33 32 31 39 30 39 3e --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\> content:"<objectclassid="clsid:4E3770F4-1937-4F05-B9A2-959BE7321909>"; |---------------------| Building Rule: 2012053 -------- Hex Payload Start ---------- 63 6c 73 69 64 20 34 45 33 37 37 30 46 34 2d 31 39 33 37 2d 34 46 30 35 2d 42 39 41 32 2d 39 35 39 42 45 37 33 32 31 39 30 39 22 54 65 78 74 22 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 34 45 33 37 37 30 46 34 2d 31 39 33 37 2d 34 46 30 35 2d 42 39 41 32 2d 39 35 39 42 45 37 33 32 31 39 30 39 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2012054 -------- Hex Payload Start ---------- 0d 0a 48 65 61 64 65 72 58 3a 20 72 75 6e 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2012520 -------- Hex Payload Start ---------- d0 cf 11 e0 a1 b1 1a e1 20 69 --------- Hex Payload End ----------- \x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a content:"/index.tmpl::$DATA "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2012057 -------- Hex Payload Start ---------- 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012058 -------- Hex Payload Start ---------- 1b 25 2d 20 28 29 20 50 4a 4c 20 20 46 53 44 49 52 4c 49 53 54 20 4e 41 4d 45 3d 22 30 3a 5c 2e 2e 5c 2e 2e 5c 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2012059 -------- Hex Payload Start ---------- 25 36 34 25 36 66 25 36 33 25 37 35 25 36 64 25 36 35 25 36 65 25 37 34 25 32 65 25 37 37 25 37 32 25 36 39 25 37 34 25 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012060 -------- Hex Payload Start ---------- 25 75 36 34 25 75 36 66 25 75 36 33 25 75 37 35 25 75 36 64 25 75 36 35 25 75 36 65 25 75 37 34 25 75 32 65 25 75 37 37 25 75 37 32 25 75 36 39 25 75 37 34 25 75 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012061 -------- Hex Payload Start ---------- 25 36 31 25 37 32 25 36 37 25 37 35 25 36 64 25 36 35 25 36 65 25 37 34 25 37 33 25 32 65 25 36 33 25 36 31 25 36 63 25 36 63 25 36 35 25 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012062 -------- Hex Payload Start ---------- 25 75 36 31 25 75 37 32 25 75 36 37 25 75 37 35 25 75 36 64 25 75 36 35 25 75 36 65 25 75 37 34 25 75 37 33 25 75 32 65 25 75 36 33 25 75 36 31 25 75 36 63 25 75 36 63 25 75 36 35 25 75 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012063 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 72 20 20 20 20 20 20 20 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4;) Parser failed - skipping rule SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012073 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012074 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012065 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012066 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2012068 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012069 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 25 32 66 --------- Hex Payload End ----------- db_type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"db_type=0script"; |---------------------| Building Rule: 2012070 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012071 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"v1=0script"; |---------------------| Building Rule: 2012072 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012076 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012077 -------- Hex Payload Start ---------- 47 6f 61 74 7a 61 70 73 7a 75 3a --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_dst |---------------------| Building Rule: 2012078 -------- Hex Payload Start ---------- 16 03 00 00 5c c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_dst |---------------------| Building Rule: 2012079 -------- Hex Payload Start ---------- 16 03 00 00 26 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 --------- Hex Payload End ----------- type both, count 1, seconds 300, track by_dst |---------------------| Building Rule: 2012080 -------- Hex Payload Start ---------- 16 03 00 00 34 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:to_client,established; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; distance:0; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2012085 -------- Hex Payload Start ---------- 4e 74 44 6c 6c 49 6d 61 67 65 42 61 73 65 22 67 65 74 4d 6f 64 75 6c 65 49 6e 66 6f 73 28 20 27 6e 74 64 6c 6c 2e 64 6c 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012100 -------- Hex Payload Start ---------- 5a 77 50 72 6f 74 65 63 74 56 69 72 74 75 61 6c 4d 65 6d 6f 72 79 22 73 74 72 44 75 70 28 3c 6f 62 6a 65 63 74 20 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6a 61 76 61 2d 61 70 70 6c 65 74 3c 70 61 72 61 6d 20 6e 61 6d 65 20 22 6c 61 75 6e 63 68 6a 6e 6c 70 22 3c 70 61 72 61 6d 20 6e 61 6d 65 20 22 64 6f 63 62 61 73 65 22 3c 66 69 65 6c 64 73 65 74 3e 3c 6c 65 67 65 6e 64 3e 20 6f 62 6a 65 63 74 2e 69 6e 6e 65 72 48 54 4d 4c --------- Hex Payload End ----------- and.*if\( uricontent:"andif("; |---------------------| Building Rule: 2012099 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- ^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$ uricontent:"/A0/A0A0A0/A0000A0A0/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; uricontent:"/A0/A0A0A0/A0000A0A0/"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2012086 -------- Hex Payload Start ---------- e8 00 00 00 00 58 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012087 -------- Hex Payload Start ---------- e8 00 00 00 00 58 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012088 -------- Hex Payload Start ---------- e8 00 00 00 00 8f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012089 -------- Hex Payload Start ---------- e8 00 00 00 00 8f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012090 -------- Hex Payload Start ---------- e8 00 00 00 00 0f 1a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012091 -------- Hex Payload Start ---------- e8 00 00 00 00 0f 1a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012092 -------- Hex Payload Start ---------- e8 00 00 00 00 0f a9 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012093 -------- Hex Payload Start ---------- e8 00 00 00 00 0f a9 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012094 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 32 00 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 03 00 --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|) content:"<objectclassid="clsid:F21507A7-530F-4A89-8FE4-9D989670FD2C "; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; content:"<objectclassid="clsid:F21507A7-530F-4A89-8FE4-9D989670FD2C "; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; distance:0; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:1;) Parser failed - skipping rule <object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\> content:"<objectclassid="clsid:2745E5F5-D234-11D0-847A-00C04FD7BB08>"; |---------------------| Building Rule: 2012097 -------- Hex Payload Start ---------- 63 6c 73 69 64 32 37 34 35 45 35 46 35 2d 44 32 33 34 2d 31 31 44 30 2d 38 34 37 41 2d 30 30 43 30 34 46 44 37 42 42 30 38 2e 41 64 64 43 6f 6e 74 65 78 74 52 65 66 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 32 37 34 35 45 35 46 35 2d 44 32 33 34 2d 31 31 44 30 2d 38 34 37 41 2d 30 30 43 30 34 46 44 37 42 42 30 38 3e --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>) content:"<objectclassid="clsid:8234E54E-20CB-4A88-9AB6-7986F99BE243 "; |---------------------| Building Rule: 2012098 -------- Hex Payload Start ---------- 63 6c 73 69 64 20 38 32 33 34 45 35 34 45 2d 32 30 43 42 2d 34 41 38 38 2d 39 41 42 36 2d 37 39 38 36 46 39 39 42 45 32 34 33 2e 53 65 74 49 64 65 6e 74 69 74 79 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 38 32 33 34 45 35 34 45 2d 32 30 43 42 2d 34 41 38 38 2d 39 41 42 36 2d 37 39 38 36 46 39 39 42 45 32 34 33 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012101 -------- Hex Payload Start ---------- 50 4f 53 54 20 0d 0a 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3c 6d 65 74 68 6f 64 43 61 6c 6c 3e 3c 6d 65 74 68 6f 64 4e 61 6d 65 3e 20 3c 70 61 72 61 6d 73 3e 3c 2f 76 61 6c 75 65 3e 3c 70 61 72 61 6d 3e 20 3c 76 61 6c 75 65 3e 20 3c 73 74 72 69 6e 67 3e 27 20 3b 20 3b 27 --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>) content:"<objectclassid="clsid:E589DA78-AD4C-4FC5-B6B9-9E47B110679E "; |---------------------| Building Rule: 2012102 -------- Hex Payload Start ---------- 63 6c 73 69 64 20 45 35 38 39 44 41 37 38 2d 41 44 34 43 2d 34 46 43 35 2d 42 36 42 39 2d 39 45 34 37 42 31 31 30 36 37 39 45 2e 49 6d 61 67 65 32 50 44 46 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 45 35 38 39 44 41 37 38 2d 41 44 34 43 2d 34 46 43 35 2d 42 36 42 39 2d 39 45 34 37 42 31 31 30 36 37 39 45 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2012104 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 64 56 61 6e 74 61 67 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012105 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012106 -------- Hex Payload Start ---------- 25 75 36 31 37 32 25 75 36 37 37 35 25 75 36 64 36 35 25 75 36 65 37 34 25 75 37 33 32 65 25 75 36 33 36 31 25 75 36 63 36 63 25 75 36 35 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012107 -------- Hex Payload Start ---------- 25 75 36 34 36 66 25 75 36 33 37 35 25 75 36 64 36 35 25 75 36 65 37 34 25 75 32 65 37 37 25 75 37 32 36 39 25 75 37 34 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012108 -------- Hex Payload Start ---------- 25 75 36 33 36 38 25 75 36 31 37 32 25 75 34 33 36 66 25 75 36 34 36 35 25 75 34 31 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012109 -------- Hex Payload Start ---------- 25 75 35 33 37 34 25 75 37 32 36 39 25 75 36 65 36 37 25 75 32 65 36 36 25 75 37 32 36 66 25 75 36 64 34 33 25 75 36 38 36 31 25 75 37 32 34 33 25 75 36 66 36 34 25 75 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012110 -------- Hex Payload Start ---------- 25 75 39 30 25 75 39 30 --------- Hex Payload End ----------- ^[a-f0-9]{4} content:"aaaa"; |---------------------| Building Rule: 2012111 -------- Hex Payload Start ---------- 25 75 39 30 39 30 25 75 20 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012112 -------- Hex Payload Start ---------- 25 39 30 25 39 30 25 39 30 25 39 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012113 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012114 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- \x00[0-9]{4,7}\x02in\x00 content:"#0000#in#"; |---------------------| Building Rule: 2012115 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 69 6e 00 20 00 30 30 30 30 02 69 6e 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012116 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2012117 -------- Hex Payload Start ---------- 6c 61 6e 5f 6d 61 63 3a 3a 77 6c 61 6e 5f 6d 61 63 3a 3a 6c 61 6e 5f 69 70 3a 3a 6d 65 6d 5f 69 6e 66 6f 3a 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012118 -------- Hex Payload Start ---------- 3d 5b 22 5c 78 36 38 5c 78 37 34 5c 78 37 34 5c 78 37 30 5c 78 33 41 5c 78 32 46 5c 78 32 46 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2012122 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012123 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012124 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012125 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012126 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012127 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012128 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012129 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- mybloggie_root_path=\s*(ftps?|https?|php)\:\/ uricontent:"mybloggie_root_path=ftp:/"; |---------------------| Building Rule: 2012130 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2012131 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2012140 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 70 61 72 61 6d 73 3d --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active"; ip_proto:41; threshold:type both,track by_dst, count 1, seconds 60; reference:url,en.wikipedia.org/wiki/6in4; classtype:policy-violation; sid:2012141; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2012142 Error here within! -------- Hex Payload Start ---------- 52 49 46 46 20 20 20 20 41 56 49 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012143 Error here within! -------- Hex Payload Start ---------- 73 74 72 66 20 20 20 20 20 20 20 20 93 00 00 00 --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\> content:"<objectclassid="clsid:73F57628-B458-11D4-9673-00A0D212FC63>"; |---------------------| Building Rule: 2012145 -------- Hex Payload Start ---------- 63 6c 73 69 64 37 33 46 35 37 36 32 38 2d 42 34 35 38 2d 31 31 44 34 2d 39 36 37 33 2d 30 30 41 30 44 32 31 32 46 43 36 33 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 2e 4d 61 70 5a 6f 6e 65 28 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 37 33 46 35 37 36 32 38 2d 42 34 35 38 2d 31 31 44 34 2d 39 36 37 33 2d 30 30 41 30 44 32 31 32 46 43 36 33 3e --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\> content:"<objectclassid="clsid:DC922B67-FF61-455E-9D79-959925B6695C>"; |---------------------| Building Rule: 2012146 -------- Hex Payload Start ---------- 63 6c 73 69 64 44 43 39 32 32 42 36 37 2d 46 46 36 31 2d 34 35 35 45 2d 39 44 37 39 2d 39 35 39 39 32 35 42 36 36 39 35 43 20 6a 61 76 61 73 63 72 69 70 74 3a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 2e 73 74 72 61 74 65 67 79 6a 61 76 61 73 63 72 69 70 74 3a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 2e 74 61 72 67 65 74 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 44 43 39 32 32 42 36 37 2d 46 46 36 31 2d 34 35 35 45 2d 39 44 37 39 2d 39 35 39 39 32 35 42 36 36 39 35 43 3e --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\> content:"<objectclassid="clsid:25982EAA-87CC-4747-BE09-9913CF7DD2F1>"; |---------------------| Building Rule: 2012147 -------- Hex Payload Start ---------- 2e 47 65 74 57 65 62 53 74 6f 72 65 55 52 4c 20 63 6c 73 69 64 32 35 39 38 32 45 41 41 2d 38 37 43 43 2d 34 37 34 37 2d 42 45 30 39 2d 39 39 31 33 43 46 37 44 44 32 46 31 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 32 35 39 38 32 45 41 41 2d 38 37 43 43 2d 34 37 34 37 2d 42 45 30 39 2d 39 39 31 33 43 46 37 44 44 32 46 31 3e --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\> content:"<objectclassid="clsid:BECB8EE1-6BBB-4A85-8DFD-099B7A60903A>"; |---------------------| Building Rule: 2012148 -------- Hex Payload Start ---------- 63 6c 73 69 64 42 45 43 42 38 45 45 31 2d 36 42 42 42 2d 34 41 38 35 2d 38 44 46 44 2d 30 39 39 42 37 41 36 30 39 30 33 41 2e 45 6e 71 75 65 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 42 45 43 42 38 45 45 31 2d 36 42 42 42 2d 34 41 38 35 2d 38 44 46 44 2d 30 39 39 42 37 41 36 30 39 30 33 41 3e --------- Hex Payload End ----------- <object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\> content:"<objectclassid="clsid:62A989CE-D39A-11D5-86F0-B9C370762176>"; |---------------------| Building Rule: 2012133 -------- Hex Payload Start ---------- 63 6c 73 69 64 36 32 41 39 38 39 43 45 2d 44 33 39 41 2d 31 31 44 35 2d 38 36 46 30 2d 42 39 43 33 37 30 37 36 32 31 37 36 2e 45 6e 75 6d 46 69 6c 65 73 20 3c 6f 62 6a 65 63 74 63 6c 61 73 73 69 64 3d 22 63 6c 73 69 64 3a 36 32 41 39 38 39 43 45 2d 44 33 39 41 2d 31 31 44 35 2d 38 36 46 30 2d 42 39 43 33 37 30 37 36 32 31 37 36 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt"; flow:to_server,established; content:"|0d 0a|ORGANIZER"; content:"mailto|3a|"; nocase; within:50; isdataat:2000,relative; content:!"|0a|"; within:2000; reference:url,www.exploit-db.com/exploits/15005/; reference:cve,2010-3407; classtype:attempted-user; sid:2012135; rev:3;) Parser failed - skipping rule @\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.] content:"@#i#m#p#o#r#t# 0000#"; |---------------------| Building Rule: 2012149 -------- Hex Payload Start ---------- 40 00 69 00 6d 00 70 00 6f 00 72 00 74 00 40 00 69 00 6d 00 70 00 6f 00 72 00 74 00 40 00 69 00 6d 00 70 00 6f 00 72 00 74 00 20 40 00 69 00 6d 00 70 00 6f 00 72 00 74 00 20 30 30 30 30 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012150 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2012151 -------- Hex Payload Start ---------- 32 2e 32 32 35 30 37 33 38 35 38 35 30 37 32 30 31 31 65 2d 33 30 38 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012152 -------- Hex Payload Start ---------- 20 20 30 20 0a 53 45 43 54 49 4f 4e 20 20 20 32 48 45 41 44 45 52 20 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2;) Parser failed - skipping rule WBEM\x2ESingleViewCtrl\x2E1.+(AddContextRef|ReleaseContext) content:"WBEM.SingleViewCtrl.10AddContextRef"; |---------------------| Building Rule: 2012157 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 57 42 45 4d 2e 53 69 6e 67 6c 65 56 69 65 77 43 74 72 6c 2e 31 20 57 42 45 4d 2e 53 69 6e 67 6c 65 56 69 65 77 43 74 72 6c 2e 31 30 41 64 64 43 6f 6e 74 65 78 74 52 65 66 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext) content:"<OBJECT classid=clsid:2745E5F5-D234-11D0-847A-00C04FD7BB080AddContextRef"; |---------------------| Building Rule: 2012158 -------- Hex Payload Start ---------- 32 37 34 35 45 35 46 35 2d 44 32 33 34 2d 31 31 44 30 2d 38 34 37 41 2d 30 30 43 30 34 46 44 37 42 42 30 38 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 32 37 34 35 45 35 46 35 2d 44 32 33 34 2d 31 31 44 30 2d 38 34 37 41 2d 30 30 43 30 34 46 44 37 42 42 30 38 30 41 64 64 43 6f 6e 74 65 78 74 52 65 66 --------- Hex Payload End ----------- ^[^?#]+?\.php\?f=\w+&e=\d+$ uricontent:"#.php?f=A&e=0"; |---------------------| Building Rule: 2012169 -------- Hex Payload Start ---------- 20 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 48 6f 73 74 3a --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012159 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012160 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012161 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012162 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012163 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"email=0script"; |---------------------| Building Rule: 2012164 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- DIR_FILES_BLOCK_TYPES_CORE=\s*(ftps?|https?|php)\:\/ uricontent:"DIR_FILES_BLOCK_TYPES_CORE=ftp:/"; |---------------------| Building Rule: 2012165 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012166 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- AND.*IF\( uricontent:"ANDIF("; |---------------------| Building Rule: 2012167 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012168 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012170 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6c 69 7a 7a 61 72 64 20 57 65 62 20 43 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012171 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 04 33 33 32 32 03 6f 72 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012172 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 72 67 75 64 --------- Hex Payload End ----------- eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28) content:"eval(String.fromCharCode("; |---------------------| Building Rule: 2012173 -------- Hex Payload Start ---------- 65 76 61 6c 28 20 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 20 65 76 61 6c 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 --------- Hex Payload End ----------- ^=\s*\x22\s*[^\s\x22\x28]{1000} content:"="########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################"; |---------------------| Building Rule: 2012174 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 3c 73 76 67 20 78 6d 6c 6e 73 3d 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 66 66 66 66 22 74 72 61 6e 73 66 6f 72 6d 20 3d 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012176 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 74 77 6f 74 68 6f 75 73 61 6e 64 73 02 63 6d --------- Hex Payload End ----------- \.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$ uricontent:".php?#=v000=="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:".php?"; http_uri; content:"=v"; http_uri; uricontent:".php?#=v000=="; content:"data="; http_client_body; depth:5; content:"wget"; nocase; http_header; fast_pattern:only; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:18;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Carberp CnC request POST /set/task.html"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/set/task.html"; http_uri; depth:14; content:"id=dvlsl"; http_client_body; classtype:trojan-activity; sid:2012178; rev:4;) Parser failed - skipping rule <<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2} content:"<</U3D/Length 172000"; |---------------------| Building Rule: 2012179 -------- Hex Payload Start ---------- 2f 55 33 44 2f 4c 65 6e 67 74 68 20 31 37 32 20 3c 3c 2f 55 33 44 2f 4c 65 6e 67 74 68 20 31 37 32 30 30 30 --------- Hex Payload End ----------- DIR_LIBS=\s*(ftps?|https?|php)\x3a\/ uricontent:"DIR_LIBS=ftp:/"; |---------------------| Building Rule: 2012181 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- DIR_LIBS=\s*(ftps?|https?|php)\x3a\/ uricontent:"DIR_LIBS=ftp:/"; |---------------------| Building Rule: 2012182 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- DIR_LIBS=\s*(ftps?|https?|php)\x3a\/ uricontent:"DIR_LIBS=ftp:/"; |---------------------| Building Rule: 2012184 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- DIR_LIBS=\s*(ftps?|https?|php)\x3a\/ uricontent:"DIR_LIBS=ftp:/"; |---------------------| Building Rule: 2012185 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012186 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- f_srch\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"f_srch=0script"; |---------------------| Building Rule: 2012187 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2012189 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- client\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"client=0script"; |---------------------| Building Rule: 2012190 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- file\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"file=0script"; |---------------------| Building Rule: 2012191 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B68B7EB-02FF-4A41-BC14-3C303BB853F9 content:"<OBJECT classid=clsid:0B68B7EB-02FF-4A41-BC14-3C303BB853F9"; |---------------------| Building Rule: 2012192 -------- Hex Payload Start ---------- 30 42 36 38 42 37 45 42 2d 30 32 46 46 2d 34 41 34 31 2d 42 43 31 34 2d 33 43 33 30 33 42 42 38 35 33 46 39 44 65 6c 46 69 6c 65 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 30 42 36 38 42 37 45 42 2d 30 32 46 46 2d 34 41 34 31 2d 42 43 31 34 2d 33 43 33 30 33 42 42 38 35 33 46 39 --------- Hex Payload End ----------- pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange) uricontent:"pjl_ready_message=0script"; |---------------------| Building Rule: 2012193 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 content:"<OBJECT classid=clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; |---------------------| Building Rule: 2012194 -------- Hex Payload Start ---------- 46 44 43 37 41 35 33 35 2d 34 30 37 30 2d 34 42 39 32 2d 41 30 45 41 2d 44 39 39 39 34 42 43 43 30 44 43 35 52 65 63 6f 72 64 43 6c 69 70 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 46 44 43 37 41 35 33 35 2d 34 30 37 30 2d 34 42 39 32 2d 41 30 45 41 2d 44 39 39 39 34 42 43 43 30 44 43 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012196 -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 28 22 20 2e 20 22 20 2b 0a 20 22 20 2b 0a 20 22 20 20 22 20 2b 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012197 -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 28 27 20 2e 20 27 20 2b 0a 20 27 20 2b 0a 20 27 20 2b 0a 20 27 20 2b 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012198 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2012199 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2012200 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2012201 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2012204 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 22 73 69 70 73 73 63 75 73 65 72 22 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C content:"<OBJECT classid=clsid:36723F97-7AA0-11D4-8919-FF2D71D0D32C"; |---------------------| Building Rule: 2012206 -------- Hex Payload Start ---------- 33 36 37 32 33 46 39 37 2d 37 41 41 30 2d 31 31 44 34 2d 38 39 31 39 2d 46 46 32 44 37 31 44 30 44 33 32 43 47 65 74 44 72 69 76 65 72 53 65 74 74 69 6e 67 73 32 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 33 36 37 32 33 46 39 37 2d 37 41 41 30 2d 31 31 44 34 2d 38 39 31 39 2d 46 46 32 44 37 31 44 30 44 33 32 43 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012208 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 20 22 70 61 63 6b 2e 65 78 65 22 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012211 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012212 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012213 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012214 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012215 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"tagcloud=0script"; |---------------------| Building Rule: 2012216 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"tagcloud=0script"; |---------------------| Building Rule: 2012220 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012217 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2012219 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020 content:"<OBJECT classid=clsid:E5D2CE27-5FA0-11D2-A666-204C4F4F5020"; |---------------------| Building Rule: 2012218 -------- Hex Payload Start ---------- 3c 4f 42 4a 45 43 54 63 6c 61 73 73 69 64 43 4c 53 49 44 45 35 44 32 43 45 32 37 2d 35 46 41 30 2d 31 31 44 32 2d 41 36 36 36 2d 32 30 34 43 34 46 34 46 35 30 32 30 20 53 65 6c 65 63 74 53 65 72 76 65 72 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 45 35 44 32 43 45 32 37 2d 35 46 41 30 2d 31 31 44 32 2d 41 36 36 36 2d 32 30 34 43 34 46 34 46 35 30 32 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012221 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 73 6e 64 6f 77 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012222 -------- Hex Payload Start ---------- 20 20 20 77 69 6e 73 6f 66 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012223 -------- Hex Payload Start ---------- 20 20 20 77 69 6e 73 6f 66 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012224 -------- Hex Payload Start ---------- 20 20 20 77 69 6e 73 6f 66 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012225 -------- Hex Payload Start ---------- 70 72 61 71 75 65 6d 3d 74 69 74 75 6c 6f 3d 44 69 72 2b 53 79 73 74 65 6d 33 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012226 -------- Hex Payload Start ---------- 70 61 72 61 3d 74 69 74 75 6c 6f 3d 6d 65 6e 73 61 67 65 6d 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2012227 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 6f 66 74 75 70 64 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012230 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9 content:"<OBJECT classid=clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; |---------------------| Building Rule: 2012231 -------- Hex Payload Start ---------- 36 38 41 43 30 44 35 46 2d 30 34 32 34 2d 31 31 44 35 2d 38 32 32 46 2d 30 30 43 30 34 46 36 42 41 38 44 39 49 6d 70 6f 72 74 42 6f 64 79 54 65 78 74 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 36 38 41 43 30 44 35 46 2d 30 34 32 34 2d 31 31 44 35 2d 38 32 32 46 2d 30 30 43 30 34 46 36 42 41 38 44 39 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F647CBE5-3C01-402A-B3F0-502A77054A24 content:"<OBJECT classid=clsid:F647CBE5-3C01-402A-B3F0-502A77054A24"; |---------------------| Building Rule: 2012232 -------- Hex Payload Start ---------- 46 36 34 37 43 42 45 35 2d 33 43 30 31 2d 34 30 32 41 2d 42 33 46 30 2d 35 30 32 41 37 37 30 35 34 41 32 34 44 6f 77 6e 6c 6f 61 64 53 69 6e 67 6c 65 4d 65 73 73 61 67 65 54 6f 46 69 6c 65 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 46 36 34 37 43 42 45 35 2d 33 43 30 31 2d 34 30 32 41 2d 42 33 46 30 2d 35 30 32 41 37 37 30 35 34 41 32 34 --------- Hex Payload End ----------- <OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4932CEF4-2CAA-11D2-A165-0060081C43D9 content:"<OBJECT classid=clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9"; |---------------------| Building Rule: 2012233 -------- Hex Payload Start ---------- 34 39 33 32 43 45 46 34 2d 32 43 41 41 2d 31 31 44 32 2d 41 31 36 35 2d 30 30 36 30 30 38 31 43 34 33 44 39 53 61 76 65 4c 61 79 6f 75 74 43 68 61 6e 67 65 73 20 3c 4f 42 4a 45 43 54 20 63 6c 61 73 73 69 64 3d 63 6c 73 69 64 3a 34 39 33 32 43 45 46 34 2d 32 43 41 41 2d 31 31 44 32 2d 41 31 36 35 2d 30 30 36 30 30 38 31 43 34 33 44 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012234 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 4e 43 53 45 43 57 4c 69 62 2e 4e 43 53 52 65 6e 64 65 72 65 72 57 72 69 74 65 4a 50 47 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012236 -------- Hex Payload Start ---------- 78 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012237 -------- Hex Payload Start ---------- 78 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012238 Error here within! -------- Hex Payload Start ---------- 78 35 33 0c 20 0c 30 0c 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012239 -------- Hex Payload Start ---------- 78 35 33 0c 31 0c 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012240 -------- Hex Payload Start ---------- 78 37 34 0c 31 0c 31 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012241 -------- Hex Payload Start ---------- 25 36 39 25 36 36 25 37 32 25 36 31 25 36 64 25 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012242 -------- Hex Payload Start ---------- 25 75 36 39 25 75 36 36 25 75 37 32 25 75 36 31 25 75 36 64 25 75 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012243 -------- Hex Payload Start ---------- 25 75 36 39 36 36 25 75 37 32 36 31 25 75 36 64 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012244 -------- Hex Payload Start ---------- 23 36 39 23 36 36 23 37 32 23 36 31 23 36 64 23 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012245 -------- Hex Payload Start ---------- 23 36 34 23 36 66 23 36 33 23 37 35 23 36 64 23 36 35 23 36 65 23 37 34 23 32 65 23 37 37 23 37 32 23 36 39 23 37 34 23 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012246 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 61 6d 78 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2012247 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 54 57 65 62 43 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012249 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 33 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012252 -------- Hex Payload Start ---------- 30 61 30 61 30 61 30 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012254 -------- Hex Payload Start ---------- 25 75 30 61 30 61 25 75 30 61 30 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012255 -------- Hex Payload Start ---------- 25 75 30 61 25 75 30 61 25 75 30 61 25 75 30 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012257 -------- Hex Payload Start ---------- 25 30 63 25 30 63 25 30 63 25 30 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012258 -------- Hex Payload Start ---------- 25 75 30 63 30 63 25 75 30 63 30 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012259 -------- Hex Payload Start ---------- 25 75 30 63 25 75 30 63 25 75 30 63 25 75 30 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012260 -------- Hex Payload Start ---------- 25 37 30 25 36 31 25 37 32 25 37 33 25 36 35 25 34 39 25 36 65 25 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012261 -------- Hex Payload Start ---------- 25 75 37 30 25 75 36 31 25 75 37 32 25 75 37 33 25 75 36 35 25 75 34 39 25 75 36 65 25 75 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012262 -------- Hex Payload Start ---------- 25 75 37 30 36 31 25 75 37 32 37 33 25 75 36 35 34 39 25 75 36 65 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012263 -------- Hex Payload Start ---------- 25 33 63 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012264 -------- Hex Payload Start ---------- 25 75 33 63 25 75 37 33 25 75 36 33 25 75 37 32 25 75 36 39 25 75 37 30 25 75 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012265 -------- Hex Payload Start ---------- 25 75 33 63 37 33 25 75 36 33 37 32 25 75 36 39 37 30 25 75 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012266 -------- Hex Payload Start ---------- 25 37 35 25 36 65 25 36 35 25 37 33 25 36 33 25 36 31 25 37 30 25 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012267 -------- Hex Payload Start ---------- 25 75 37 35 25 75 36 65 25 75 36 35 25 75 37 33 25 75 36 33 25 75 36 31 25 75 37 30 25 75 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012268 -------- Hex Payload Start ---------- 25 75 37 35 36 65 25 75 36 35 37 33 25 75 36 33 36 31 25 75 37 30 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012269 -------- Hex Payload Start ---------- 25 37 33 25 37 35 25 36 32 25 37 33 25 37 34 25 37 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012270 -------- Hex Payload Start ---------- 25 75 37 33 25 75 37 35 25 75 36 32 25 75 37 33 25 75 37 34 25 75 37 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012271 -------- Hex Payload Start ---------- 25 75 37 33 37 35 25 75 36 32 37 33 25 75 37 34 37 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012272 -------- Hex Payload Start ---------- 25 36 35 25 37 36 25 36 31 25 36 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012273 -------- Hex Payload Start ---------- 25 75 36 35 25 75 37 36 25 75 36 31 25 75 36 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012274 -------- Hex Payload Start ---------- 25 75 36 35 37 36 25 75 36 31 36 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012276 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 53 50 53 5f 44 6f 63 75 6d 65 6e 74 2e 7a 69 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012278 -------- Hex Payload Start ---------- 20 4f 75 72 5f 41 67 65 6e 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2012286 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012287 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012289 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012290 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012288 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012295 -------- Hex Payload Start ---------- 47 45 54 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 45 4b 4f 4d --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2012296 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 73 74 65 72 69 73 6b 20 50 42 58 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2012297 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 5a 6f 69 70 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012298 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 a1 a1 48 74 74 70 43 6c 69 65 6e 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012299 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012300 -------- Hex Payload Start ---------- 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 43 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2012303 -------- Hex Payload Start ---------- 01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2012304 -------- Hex Payload Start ---------- 01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_dst |---------------------| Building Rule: 2012306 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 68 57 24 13 --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2012305 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 68 57 24 13 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012307 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 68 57 24 13 00 33 4d 69 63 72 6f 73 6f 66 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012308 -------- Hex Payload Start ---------- 01 08 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012309 Error here depth! -------- Hex Payload Start ---------- 20 20 20 00 00 70 61 73 73 77 6f 72 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012310 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 69 32 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012312 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 69 64 65 6e 74 69 74 79 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012313 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 78 69 6c 6c 61 --------- Hex Payload End ----------- dx\.php\?i=[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}&a= uricontent:"dx.php?i=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa&a="; |---------------------| Building Rule: 2012314 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012315 -------- Hex Payload Start ---------- 20 48 54 54 50 2f 31 2e 30 0d 0a 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 6f 70 65 72 61 2f 38 2e 31 31 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2012318 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 41 6e 74 69 53 70 79 20 65 74 75 70 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012319 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 69 72 73 5f 6c 65 67 61 6c 61 75 74 68 2d 74 61 78 5f 70 61 79 6d 65 6e 74 5f 6e 6f 74 69 63 65 5f 20 2e 7a 69 70 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012320 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 49 52 53 2d 54 61 78 50 61 79 6d 65 6e 74 4e 6f 74 69 66 69 63 61 74 69 6f 6e 20 2e 7a 69 70 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012322 -------- Hex Payload Start ---------- 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 31 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 3b 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012324 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; content:"200"; http_stat_code; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:5;) Parser failed - skipping rule \x00[\x02-\x1E][0-9]{2,30}\x02cn\x00 content:"##00#cn#"; |---------------------| Building Rule: 2012327 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 63 6e 00 20 30 20 00 02 30 30 02 63 6e 00 --------- Hex Payload End ----------- \x00[\x02-\x1E][0-9]{2,30}\x02ru\x00 content:"##00#ru#"; |---------------------| Building Rule: 2012328 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 72 75 00 20 00 02 30 30 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012329 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 49 6e 64 69 76 69 64 75 61 6c 5f 49 6e 63 6f 6d 65 5f 54 61 78 5f 52 74 72 6e 5f 20 2e 7a 69 70 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012331 -------- Hex Payload Start ---------- 0d 0a 48 6f 73 74 3a 20 69 64 69 73 6b 2e 6d 61 63 2e 63 6f 6d 0d 0a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 74 4d 61 63 4b 69 74 2d 6c 69 6b 65 2c 20 46 69 6c 65 2d 53 79 6e 63 2d 44 69 72 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012333 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- id=\s*(ftps?|https?|php)\:\/ uricontent:"id=ftp:/"; |---------------------| Building Rule: 2012334 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2012335 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012336 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"lang=0script"; |---------------------| Building Rule: 2012337 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012338 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012339 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012340 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012341 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012342 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012343 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- basedir=\s*(ftps?|https?|php)\:\/ uricontent:"basedir=ftp:/"; |---------------------| Building Rule: 2012344 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012345 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012346 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012347 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012348 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012349 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012350 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- k\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"k=0script"; |---------------------| Building Rule: 2012351 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2012352 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"showfile=0script"; |---------------------| Building Rule: 2012353 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012354 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"PHPCOVERAGE_HOME=0script"; |---------------------| Building Rule: 2012355 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"param=0script"; |---------------------| Building Rule: 2012356 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012357 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- ORDER.+BY uricontent:"ORDER0BY"; |---------------------| Building Rule: 2012358 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012359 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012360 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012361 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012362 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012363 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012364 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012365 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012366 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012367 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012368 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- mosConfig_absolute_path=\s*(ftps?|https?|php)\:\/ uricontent:"mosConfig_absolute_path=ftp:/"; |---------------------| Building Rule: 2012369 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"explain=0script"; |---------------------| Building Rule: 2012370 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"relocate=0script"; |---------------------| Building Rule: 2012371 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2012372 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012373 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 2e 2f --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012374 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012375 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012376 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012377 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012378 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2012379 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- L_failedopentheme\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"L_failedopentheme=0script"; |---------------------| Building Rule: 2012380 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- and.*substring\( uricontent:"andsubstring("; |---------------------| Building Rule: 2012381 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- output=\w uricontent:"output=A"; |---------------------| Building Rule: 2012382 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- retva=\w uricontent:"retva=A"; |---------------------| Building Rule: 2012383 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012384 -------- Hex Payload Start ---------- 20 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 29 0d 0a 48 6f 73 74 3a 20 20 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2012386 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 43 54 65 73 74 43 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012387 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 72 69 76 61 63 79 49 6e 66 6f 55 70 64 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012388 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 53 50 53 5f 20 2e 7a 69 70 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012389 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2013790 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2012391 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- \/Setup_\d+\.exe$ uricontent:"/Setup_0.exe"; |---------------------| Building Rule: 2012392 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012393 Parser failed - skipping rule messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"messageString=0script"; |---------------------| Building Rule: 2012394 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape uricontent:"stconf0nsf0script0unescape"; |---------------------| Building Rule: 2012395 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012398 -------- Hex Payload Start ---------- 25 37 32 25 36 35 25 37 30 25 36 63 25 36 31 25 36 33 25 36 35 25 32 38 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012399 -------- Hex Payload Start ---------- 25 75 37 32 25 75 36 35 25 75 37 30 25 75 36 63 25 75 36 31 25 75 36 33 25 75 36 35 25 75 32 38 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012400 -------- Hex Payload Start ---------- 25 75 37 32 36 35 25 75 37 30 36 63 25 75 36 31 36 33 25 75 36 35 32 38 --------- Hex Payload End ----------- \.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$ uricontent:".php?ta=aaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2012401 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \?0=.*\&1=.*\&2=.*\&3=.*\&4=.*\&5=.*\&6=.*\&7=.*\&8= uricontent:"?0=&1=&2=&3=&4=&5=&6=&7=&8="; |---------------------| Building Rule: 2012405 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \&(width|height)\=([2-9][0-9][0-9][0-9]*) uricontent:"&width=200"; |---------------------| Building Rule: 2012406 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012407 -------- Hex Payload Start ---------- 47 45 54 20 20 25 30 30 26 --------- Hex Payload End ----------- |---------------------| Building Rule: 2012408 -------- Hex Payload Start ---------- 47 45 54 20 20 25 30 30 26 6c 6f 67 66 69 6c 65 3d 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2013258 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 4d 6f 7a 69 6c 6c 61 20 3b 20 4d 79 49 45 20 --------- Hex Payload End ----------- post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"post_id=0script"; |---------------------| Building Rule: 2012411 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- SELECT.+FROM uricontent:"SELECT0FROM"; |---------------------| Building Rule: 2012412 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UNION.+SELECT uricontent:"UNION0SELECT"; |---------------------| Building Rule: 2012413 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- INSERT.+INTO uricontent:"INSERT0INTO"; |---------------------| Building Rule: 2012414 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- DELETE.+FROM uricontent:"DELETE0FROM"; |---------------------| Building Rule: 2012415 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ASCII\(.+SELECT uricontent:"ASCII(0SELECT"; |---------------------| Building Rule: 2012416 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- UPDATE.+SET uricontent:"UPDATE0SET"; |---------------------| Building Rule: 2012417 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"form=0script"; |---------------------| Building Rule: 2012418 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D) uricontent:"form=0script"; |---------------------| Building Rule: 2012419 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e content:" content:"0-->"; |---------------------| Building Rule: 2016449 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 44 4f 43 48 54 4d 4c 41 75 74 68 6f 72 20 30 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016451 -------- Hex Payload Start ---------- 3c 21 2d 2d 3c 32 30 31 30 51 42 50 20 20 32 30 31 30 51 42 50 2f 2f 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016452 -------- Hex Payload Start ---------- 20 41 63 63 65 70 74 3a 20 69 6d 61 67 65 2f 67 69 66 2c 69 6d 61 67 65 2f 78 2d 78 62 69 74 6d 61 70 20 20 4d 53 49 45 20 20 43 6f 6f 6b 69 65 3a 20 50 52 45 46 3d 38 36 38 34 35 36 33 32 30 31 37 32 34 35 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016453 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 65 6e 2d 55 53 3b 20 72 76 3a 31 2e 38 2e 30 2e 31 32 29 20 46 69 72 65 66 6f 78 2f 31 2e 35 2e 30 2e 31 32 0d 0a --------- Hex Payload End ----------- \?ID=[A-Z]{10}$ uricontent:"?ID=AAAAAAAAAA"; |---------------------| Building Rule: 2016459 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016454 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 45 78 65 6c 6f 6e 20 --------- Hex Payload End ----------- ^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n--> content:"0src="#" width=0 height=0> -->"; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016456 -------- Hex Payload Start ---------- 2a 21 4b 74 33 2b 76 7c 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016457 -------- Hex Payload Start ---------- 2a 21 4b 74 33 2b 76 7c 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016458 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 28 63 6f 6d 70 61 74 69 62 6c 65 2b 4d 53 49 45 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016462 Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 55 04 03 20 03 6e 65 77 20 55 04 0b 20 03 6e 65 77 20 55 04 0a 20 16 77 77 77 2e 76 69 72 74 75 61 6c 6c 79 74 68 65 72 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016463 Error here within! Error here within! -------- Hex Payload Start ---------- 55 04 03 20 03 49 42 4d 20 55 04 0a 20 18 49 6e 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 20 4c 74 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016464 Error here within! -------- Hex Payload Start ---------- 2f 09 dd e0 ff 81 b7 6c bf 2f 17 92 0c d8 bd 57 20 55 04 03 20 05 45 4d 41 49 4c --------- Hex Payload End ----------- |---------------------| Building Rule: 2016465 Error here within! -------- Hex Payload Start ---------- 0e 97 88 1c 6c a1 37 96 42 03 bc 45 42 24 75 6c 20 55 04 03 20 0f 4c 4d 2d 36 38 41 42 37 31 46 42 44 38 46 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016466 Error here within! -------- Hex Payload Start ---------- 72 a2 5c 8a b4 18 71 4e bf c6 6f 3f 98 d6 f7 74 20 55 04 03 20 02 4e 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016467 Error here within! -------- Hex Payload Start ---------- 52 55 38 16 fb 0d 1a 8a 4b 45 04 cb 06 bc c4 af 20 55 04 03 20 06 53 45 52 56 45 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016468 Error here within! -------- Hex Payload Start ---------- 20 82 92 3f 43 2c 8f 75 b7 ef 0f 6a d9 3c 8e 5d 20 55 04 03 20 03 53 55 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016469 Error here within! -------- Hex Payload Start ---------- 7c a2 74 d0 fb c3 d1 54 b3 d1 a3 00 62 e3 7e f6 20 55 04 03 20 0c 6d 61 69 6c 2e 61 6f 6c 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016470 Error here within! -------- Hex Payload Start ---------- 0a 38 c9 27 08 6f 96 4b be 75 dc 9f c0 1a c6 28 20 55 04 03 20 0e 6d 61 69 6c 2e 79 61 68 6f 6f 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016471 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 64 6f 77 73 2b 4e 54 2b 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016472 -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 3c 21 2d 2d 20 64 57 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016474 -------- Hex Payload Start ---------- dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016475 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016476 -------- Hex Payload Start ---------- 59 32 39 74 62 57 46 75 5a 44 31 6e 5a 58 52 7a 65 58 4e 30 5a 57 30 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016477 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a 20 43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 20 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 0d 0a 20 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016478 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 64 57 64 7a 4d 54 41 3d 20 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016479 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 64 57 64 7a 4d 77 3d 3d 20 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016480 -------- Hex Payload Start ---------- 3c 21 2d 2d 63 7a 6f 78 4d 7a 63 3d 2d 2d 21 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016482 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 63 7a 6f 79 20 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016483 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 64 57 64 6c 59 32 78 70 5a 57 35 30 4c 6e 42 75 5a 77 3d 3d 20 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016484 -------- Hex Payload Start ---------- 46 53 73 73 4a 69 30 31 4d 57 77 6e 4f 69 63 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016485 -------- Hex Payload Start ---------- 4d 53 34 6e 4a 7a 4a 34 63 48 5a 79 65 51 3d 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016486 -------- Hex Payload Start ---------- 49 48 56 77 5a 47 46 30 5a 53 35 6e 61 57 59 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016487 -------- Hex Payload Start ---------- 47 45 54 20 20 41 63 63 65 70 74 3a 20 2a 2f 2a 2c 2c 2c 2c 2c 2c --------- Hex Payload End ----------- |---------------------| Building Rule: 2016488 -------- Hex Payload Start ---------- 59 32 39 74 62 57 46 75 5a 44 31 48 5a 58 52 44 62 32 31 74 59 57 35 6b 4f 32 4e 73 61 57 56 75 64 47 74 6c 65 54 20 4f 32 68 76 63 33 52 75 59 57 31 6c 50 57 --------- Hex Payload End ----------- [a-z]{2}\.CAB.bin uricontent:"aa.CAB0bin"; |---------------------| Building Rule: 2016489 -------- Hex Payload Start ---------- 20 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016490 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016491 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016492 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016493 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 37 --------- Hex Payload End ----------- ^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27] content:"="#.ser""; |---------------------| Building Rule: 2016494 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 6f 62 6a 65 63 74 20 3d 22 00 2e 73 65 72 22 --------- Hex Payload End ----------- \.psd$ uricontent:".psd"; |---------------------| Building Rule: 2016495 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016496 -------- Hex Payload Start ---------- 2f 67 61 74 65 2e 70 68 70 3f 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016497 -------- Hex Payload Start ---------- 22 70 64 66 5c 37 38 2e 68 74 5c 36 64 6c 22 --------- Hex Payload End ----------- ^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES content:"="#/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/a.exe?a=a""; |---------------------| Building Rule: 2016498 -------- Hex Payload Start ---------- 2e 65 78 65 3f 20 3c 61 70 70 6c 65 74 20 76 61 6c 75 65 20 3d 22 00 2f 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 2f 61 2e 65 78 65 3f 61 3d 61 22 --------- Hex Payload End ----------- \.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".exe&h=0"; |---------------------| Building Rule: 2016499 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016500 -------- Hex Payload Start ---------- 69 66 28 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 6f 6e 63 6c 69 63 6b 21 3d 6e 75 6c 6c 29 20 69 66 28 64 6f 63 75 6d 65 6e 74 2e 73 74 79 6c 65 53 68 65 65 74 73 2e 6c 65 6e 67 74 68 21 3d 30 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016501 -------- Hex Payload Start ---------- 3c 46 4f 52 4d 20 4d 45 54 48 4f 44 3d 22 47 45 54 22 20 4e 41 4d 45 3d 22 63 6f 6d 6d 65 6e 74 73 22 20 41 43 54 49 4f 4e 3d 22 22 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016502 -------- Hex Payload Start ---------- 0d 0a 0d 0a ac ed --------- Hex Payload End ----------- |---------------------| Building Rule: 2016503 -------- Hex Payload Start ---------- 0d 0a 0d 0a ac ed --------- Hex Payload End ----------- \.ser$ uricontent:".ser"; |---------------------| Building Rule: 2016504 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016505 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 2e 73 65 72 50 4b --------- Hex Payload End ----------- \.jpeg$ uricontent:".jpeg"; |---------------------| Building Rule: 2016506 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- \x2Fping\x2Ehtml\x3Fr\x3D[0-9]{5,14}$ uricontent:"/ping.html?r=00000"; |---------------------| Building Rule: 2016507 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016508 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \/[a-z]\.htm\?[A-Za-z0-9]+$ uricontent:"/a.htm?A"; |---------------------| Building Rule: 2016509 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 29 0d 0a --------- Hex Payload End ----------- ^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27] content:"="#.ser""; |---------------------| Building Rule: 2016510 -------- Hex Payload Start ---------- 3c 65 6d 62 65 64 6f 62 6a 65 63 74 20 3d 22 00 2e 73 65 72 22 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6a 61 76 61 2d --------- Hex Payload End ----------- \?hostid=[0-9A-F]+?& uricontent:"?hostid=0&"; |---------------------| Building Rule: 2016968 -------- Hex Payload Start ---------- 20 20 20 20 20 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016511 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016512 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016513 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016514 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2016515 -------- Hex Payload Start ---------- 20 20 4d 53 49 45 20 37 2e 30 3b --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure"; flow:established,to_server; content:"POST"; http_method; content:"act="; depth:4; fast_pattern; http_client_body; content:"&d="; http_client_body; within:20; classtype:attempted-user; sid:2016516; rev:2;) Parser failed - skipping rule ^[\r\n\s]*?\x28[^\x29]*?shellcode content:"(shellcode"; |---------------------| Building Rule: 2016519 -------- Hex Payload Start ---------- 73 70 72 61 79 48 65 61 70 20 28 73 68 65 6c 6c 63 6f 64 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016520 -------- Hex Payload Start ---------- 3c 23 61 23 70 23 70 23 6c 23 65 23 74 23 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016521 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- \.php\?e=[^&]+?$ uricontent:".php?e=#"; |---------------------| Building Rule: 2016522 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \.php\?e=[^&]+?$ uricontent:".php?e=#"; |---------------------| Building Rule: 2016523 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016524 -------- Hex Payload Start ---------- 7d 74 72 79 7b 64 6f 63 5b 22 62 6f 64 79 22 5d 5e 3d 32 7d 63 61 74 63 68 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016525 -------- Hex Payload Start ---------- 74 72 79 7b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 5e 3d 32 7d 63 61 74 63 68 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016526 -------- Hex Payload Start ---------- 7d 74 72 79 7b 7d 63 61 74 63 68 28 20 3d 66 61 6c 73 65 3b 7d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\x2F[a-f0-9]{40,60}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox Passgrub POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"akk="; http_client_body; depth:4; content:"&client="; http_client_body; distance:0; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016529; rev:2;) Parser failed - skipping rule \x26affid\x3D[0-9]{4,7}$ uricontent:"&affid=0000"; |---------------------| Building Rule: 2016530 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016531 -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 68 74 74 70 3a 2f 2f 2e 65 78 65 3f 74 73 3d 26 61 66 66 69 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016533 -------- Hex Payload Start ---------- 20 2e 20 2d 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016534 -------- Hex Payload Start ---------- 20 2e 20 2d 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016535 -------- Hex Payload Start ---------- 20 2e 20 2d 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016536 -------- Hex Payload Start ---------- 20 2e 20 2d 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016537 -------- Hex Payload Start ---------- 47 45 54 20 74 20 2e 20 3a 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016538 -------- Hex Payload Start ---------- 0d 0a 0d 0a 4d 5a 50 45 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016539 -------- Hex Payload Start ---------- 20 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016540 -------- Hex Payload Start ---------- 72 20 0d 0a 0d 0a 50 4b 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016541 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 20 4d 79 41 70 70 6c 65 74 --------- Hex Payload End ----------- \.php\?pprec$ uricontent:".php?pprec"; |---------------------| Building Rule: 2016542 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \.php\?c002$ uricontent:".php?c002"; |---------------------| Building Rule: 2016543 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016546 -------- Hex Payload Start ---------- 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 57 69 6e 33 32 3b 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 2e 35 29 --------- Hex Payload End ----------- ^((?!<\/applet>).)+?[\x22\x27]aHR0cDov NOT IMPL not _simple(av) in REPEATING CODES content:""aHR0cDov"; |---------------------| Building Rule: 2016549 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 20 20 22 61 48 52 30 63 44 6f 76 20 61 48 52 30 63 44 6f 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016552 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- ^\/[a-z-_]+?\.(php|html)$ uricontent:"/a.php"; |---------------------| Building Rule: 2016553 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 31 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 32 33 2e 30 2e 31 32 37 31 2e 39 37 20 53 61 66 61 72 69 2f 35 33 37 2e 31 31 0d 0a 20 2e 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016558 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016560 -------- Hex Payload Start ---------- 74 68 69 73 2e 67 6f 6e 64 61 64 20 3d 20 61 72 72 56 65 72 73 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018109 -------- Hex Payload Start ---------- 20 74 20 2e 20 3a --------- Hex Payload End ----------- \.html\?[0-9]{10}$ uricontent:".html?0000000000"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/LetsGo.APT Sleep CnC Beacon"; flow:established,to_server; content:"User-Agent|3a| sleep "; http_header; fast_pattern:only; uricontent:".html?0000000000"; pcre:"/User-Agent\x3a\x20sleep \d+[\r\x2c]/H"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html; classtype:trojan-activity; sid:2016568; rev:2;) Parser failed - skipping rule type limit, track by_src, count 1, seconds 300 |---------------------| Building Rule: 2016569 -------- Hex Payload Start ---------- 0a 6d 69 63 6f 72 73 6f 66 74 73 03 6e 65 74 00 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 300 |---------------------| Building Rule: 2016570 -------- Hex Payload Start ---------- 0a 6d 69 63 6f 72 73 6f 66 74 73 03 63 6f 6d 00 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 300 |---------------------| Building Rule: 2016571 -------- Hex Payload Start ---------- 07 68 6f 74 6d 61 6c 31 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016572 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016573 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 50 20 51 20 0d 0a 43 6f 6f 6b 69 65 73 3a 20 --------- Hex Payload End ----------- \/[A-Za-z0-9-_]{75,}\.html$ uricontent:"/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.html"; |---------------------| Building Rule: 2016567 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016574 -------- Hex Payload Start ---------- 3c 68 31 3e 44 61 74 61 62 61 73 65 73 20 4c 69 73 74 3c 2f 68 31 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016575 -------- Hex Payload Start ---------- 6d 79 73 71 6c 5f 77 65 62 5f 61 64 6d 69 6e 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2016576 -------- Hex Payload Start ---------- 6d 79 73 71 6c 5f 77 65 62 5f 61 64 6d 69 6e 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2016577 -------- Hex Payload Start ---------- 49 6e 63 61 72 63 61 20 66 69 73 69 65 72 3a 20 45 78 65 75 74 61 20 63 6f 6d 61 64 61 3a --------- Hex Payload End ----------- \?src=[a-z]+snet$ uricontent:"?src=asnet"; |---------------------| Building Rule: 2016566 -------- Hex Payload Start ---------- 20 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dorkbot Loader Payload Request"; flow:established,to_server; content:"Mozilla/4.0|0D 0A|Host|3a|"; http_header; content:".exe"; http_uri; fast_pattern; urilen:<11; reference:md5,3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2016579 -------- Hex Payload Start ---------- 0d 0a 0d 0a 25 50 44 46 2d 20 3c 21 2d 2d 0d 0a 63 57 4b 51 6d 5a 6c 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6a 4b 7a 38 35 6d 37 4a 56 6d 37 4a 46 78 6b 5a 6d 5a 6d 52 44 63 5a 58 41 73 6d 5a 6d 5a 7a 42 4a 31 79 73 2f 4f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016586 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 06 6f 70 65 6e 67 77 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016587 -------- Hex Payload Start ---------- 61 70 70 6c 65 74 20 75 33 33 26 32 39 39 20 75 33 76 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016591 Error here within! -------- Hex Payload Start ---------- 00 01 00 01 20 20 20 20 00 04 6a bb 60 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016592 -------- Hex Payload Start ---------- 55 53 45 5f 55 53 45 52 41 47 45 4e 54 3d 20 44 45 4c 41 59 5f 42 45 54 57 45 45 4e 5f 53 59 4e 43 53 3d 20 43 4f 4e 4e 45 43 54 49 4f 4e 5f 54 49 4d 45 4f 55 54 3d --------- Hex Payload End ----------- ^\/search\/[0-9]{64} uricontent:"/search/0000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2016593 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016596 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016598 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016600 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 07 70 65 6f 63 69 74 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016601 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 07 72 75 73 76 69 65 77 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016602 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 07 73 6b 79 72 75 73 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016603 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 63 6f 6d 6d 61 6e 61 6c 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016604 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 6e 61 74 61 72 65 70 6f 72 74 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016605 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0c 70 68 6f 74 6f 67 65 6c 6c 72 65 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016606 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 70 68 6f 74 6f 67 61 6c 61 78 79 7a 6f 6e 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016607 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 06 69 6e 73 64 65 74 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016608 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 63 72 65 64 69 74 72 65 70 74 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016609 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0c 70 6f 6c 6c 69 6e 67 76 6f 74 65 72 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016610 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 64 66 61 73 6f 6e 6c 69 6e 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016611 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 68 75 64 73 6f 6e 69 6e 73 74 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016612 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0d 77 73 75 72 76 65 79 6d 61 73 74 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016613 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 6e 68 72 61 73 75 72 76 65 79 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016614 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 07 70 64 69 32 30 31 32 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016615 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 05 6e 63 65 62 61 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016616 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0d 6c 69 6e 6b 65 64 69 6e 2d 62 6c 6f 67 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016617 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 61 61 66 62 6f 6e 75 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016618 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 6d 69 6c 73 74 61 72 73 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016619 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 06 76 61 74 64 65 78 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016620 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 14 69 6e 73 69 67 68 74 70 75 62 6c 69 63 61 66 66 61 69 72 73 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016621 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 61 70 70 6c 65 73 65 61 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016622 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 61 70 70 6c 65 64 6d 67 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016623 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0c 61 70 70 6c 65 69 6e 74 6f 75 63 68 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016624 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 73 65 79 75 69 65 79 61 68 6f 6f 61 70 69 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016625 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 61 70 70 6c 65 64 6e 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016626 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0e 65 6d 61 69 6c 73 65 72 76 65 72 63 74 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016627 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 64 61 69 6c 79 6e 65 77 73 6a 75 73 74 69 6e 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016628 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 68 69 2d 74 65 63 73 6f 6c 75 74 69 6f 6e 73 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016629 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 73 6c 61 73 68 64 6f 63 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016630 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0c 70 68 6f 74 6f 73 6d 61 67 6e 75 6d 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016631 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0b 72 65 73 75 6d 65 34 6a 6f 62 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016632 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0d 73 65 61 72 63 68 69 6e 67 2d 6a 6f 62 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016633 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 73 65 72 76 61 67 65 6e 63 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016634 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0b 67 73 61 73 6d 61 72 74 70 61 79 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016635 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 74 65 63 68 2d 61 74 74 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016637 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016638 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016639 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016640 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"#!/usr/bin/perl"; nocase; http_client_body; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"#!/bin/sh"; nocase; http_client_body; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:6;) Parser failed - skipping rule ^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:" value="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2016643 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 20 0d 76 61 6c 75 65 3d 22 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016644 -------- Hex Payload Start ---------- 20 20 20 20 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 31 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Galock Ransomware Command"; flow:established,from_server; content:"|0d 0a 0d 0a|[LOCK]"; isdataat:!1,relative; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2016654 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 50 6f 73 74 61 6c 2d 52 65 63 65 69 70 74 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016656 -------- Hex Payload Start ---------- 41 64 6f 62 65 20 20 20 20 e0 00 00 00 78 9c --------- Hex Payload End ----------- |---------------------| Building Rule: 2016659 -------- Hex Payload Start ---------- 00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016660 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 40 7e 7e 7e --------- Hex Payload End ----------- ^\/[a-zA-Z0-9]{1,19}\/?\?[abdefijhgv\x22](?:\x7C\x2d?\d+?[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14})?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/a?a"; |---------------------| Building Rule: 2018958 -------- Hex Payload Start ---------- 3a 20 2e 20 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016663 -------- Hex Payload Start ---------- 0d 0a 0d 0a 81 f2 90 00 cf a8 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mssql_query)"; flow:from_server,established; content:"200"; http_stat_code; content:"mssql_query"; classtype:bad-unknown; sid:2016664; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mssql_query)"; flow:from_server,established; content:"500"; http_stat_code; content:"mssql_query"; classtype:bad-unknown; sid:2016665; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (pgsql_query)"; flow:from_server,established; content:"200"; http_stat_code; content:"pgsql_query"; classtype:bad-unknown; sid:2016666; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (pgsql_query)"; flow:from_server,established; content:"500"; http_stat_code; content:"pgsql_query"; classtype:bad-unknown; sid:2016667; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mysql_query)"; flow:from_server,established; content:"200"; http_stat_code; content:"mysql_query"; classtype:bad-unknown; sid:2016668; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mysql_query)"; flow:from_server,established; content:"500"; http_stat_code; content:"mysql_query"; classtype:bad-unknown; sid:2016669; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)"; flow:from_server,established; content:"200"; http_stat_code; content:"SqlException"; classtype:bad-unknown; sid:2016670; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)"; flow:from_server,established; content:"500"; http_stat_code; content:"SqlException"; classtype:bad-unknown; sid:2016671; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; content:"200"; http_stat_code; content:"error in your SQL syntax"; classtype:bad-unknown; sid:2016672; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (error in your SQL syntax)"; flow:from_server,established; content:"500"; http_stat_code; content:"error in your SQL syntax"; classtype:bad-unknown; sid:2016673; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ERROR syntax error at or near)"; flow:from_server,established; content:"200"; http_stat_code; content:"ERROR|3a| syntax error at or near"; classtype:bad-unknown; sid:2016674; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near)"; flow:from_server,established; content:"500"; http_stat_code; content:"ERROR|3a| syntax error at or near"; classtype:bad-unknown; sid:2016675; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2016679 -------- Hex Payload Start ---------- 2d 20 53 69 6d 70 6c 65 20 53 68 65 6c 6c 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - netsh firewall"; flow:established,to_server; content:"netsh"; nocase; fast_pattern; http_client_body; content:"firewall"; within:15; http_client_body; classtype:bad-unknown; sid:2016681; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - reg HKEY_LOCAL_MACHINE"; flow:established,to_server; content:"reg"; nocase; http_client_body; content:"HKEY_LOCAL_MACHINE"; nocase; within:80; http_client_body; classtype:bad-unknown; sid:2016682; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - wget http - POST"; flow:established,to_server; content:"wget"; nocase; http_client_body; content:"http"; nocase; http_client_body; within:11; classtype:bad-unknown; sid:2016683; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2016684 -------- Hex Payload Start ---------- 3c 46 4f 52 4d 20 4d 45 54 48 4f 44 3d 5c 22 47 45 54 5c 22 20 4e 41 4d 45 3d 5c 22 63 6f 6d 6d 65 6e 74 73 5c 22 20 41 43 54 49 4f 4e 3d 5c 22 5c 22 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016685 -------- Hex Payload Start ---------- 44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^\d\.\d(_\d+)?\@\r\n NOT IMPL not _simple(av) in REPEATING CODES content:"0.0@ "; |---------------------| Building Rule: Protocol Not Supported ^[^\r\n]+\.jar content:"#.jar"; |---------------------| Building Rule: 2016688 -------- Hex Payload Start ---------- 2e 6a 61 72 20 52 45 54 52 20 20 00 2e 6a 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016707 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 35 2e 30 31 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 29 --------- Hex Payload End ----------- ^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20} Parser failed - skipping rule |---------------------| Building Rule: 2016689 -------- Hex Payload Start ---------- 62 47 39 6e 62 32 35 66 63 33 56 69 62 57 6c 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016690 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016692 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016693 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 38 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016694 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016695 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 30 --------- Hex Payload End ----------- \/svchost\.exe$ uricontent:"/svchost.exe"; |---------------------| Building Rule: 2016696 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/winlogon\.exe$ uricontent:"/winlogon.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; uricontent:"/winlogon.exe"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:13;) Parser failed - skipping rule \/services\.exe$ uricontent:"/services.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; uricontent:"/services.exe"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:13;) Parser failed - skipping rule \/lsass\.exe$ uricontent:"/lsass.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; uricontent:"/lsass.exe"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:13;) Parser failed - skipping rule \/explorer\.exe$ uricontent:"/explorer.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; uricontent:"/explorer.exe"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:13;) Parser failed - skipping rule \/smss\.exe$ uricontent:"/smss.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; uricontent:"/smss.exe"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12;) Parser failed - skipping rule \/csrss\.exe$ uricontent:"/csrss.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; uricontent:"/csrss.exe"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:12;) Parser failed - skipping rule \/rundll32\.exe$ uricontent:"/rundll32.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; uricontent:"/rundll32.exe"; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:12;) Parser failed - skipping rule |---------------------| Building Rule: 2016704 -------- Hex Payload Start ---------- 3c 61 70 41 42 43 70 6c 65 74 --------- Hex Payload End ----------- \/m1[1-6]\.jar$ uricontent:"/m11.jar"; |---------------------| Building Rule: 2016708 -------- Hex Payload Start ---------- 20 2e 6a 61 72 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016709 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016710 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 7a 30 30 73 41 67 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016711 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 61 6e 64 72 6f 69 64 06 75 79 67 68 75 72 04 64 6e 73 64 02 6d 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016714 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5c 30 63 5c 30 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016715 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5c 30 63 30 63 --------- Hex Payload End ----------- ^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:" src="http://#//q.php"; |---------------------| Building Rule: 2016716 -------- Hex Payload Start ---------- 2f 71 2e 70 68 70 20 3c 69 66 72 61 6d 65 20 0d 73 72 63 3d 22 68 74 74 70 3a 2f 2f 00 2f 2f 71 2e 70 68 70 --------- Hex Payload End ----------- ^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:" src="http://#//ff.php"; |---------------------| Building Rule: 2016717 -------- Hex Payload Start ---------- 2f 66 66 2e 70 68 70 20 3c 69 66 72 61 6d 65 20 0d 73 72 63 3d 22 68 74 74 70 3a 2f 2f 00 2f 2f 66 66 2e 70 68 70 --------- Hex Payload End ----------- ^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:" src="http://#//q.php"; |---------------------| Building Rule: 2016718 -------- Hex Payload Start ---------- 2f 71 2e 70 68 70 20 3c 69 66 72 61 6d 65 20 0d 73 72 63 3d 22 68 74 74 70 3a 2f 2f 00 2f 2f 71 2e 70 68 70 --------- Hex Payload End ----------- ^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:" src="http://#//ff.php"; |---------------------| Building Rule: 2016719 -------- Hex Payload Start ---------- 2f 66 66 2e 70 68 70 20 3c 69 66 72 61 6d 65 20 0d 73 72 63 3d 22 68 74 74 70 3a 2f 2f 00 2f 2f 66 66 2e 70 68 70 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\/[0-9a-f]{32}\/ff\.php$ uricontent:"/00000000000000000000000000000000/ff.php"; |---------------------| Building Rule: 2016722 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- ^\/[0-9a-f]{32}\/ff\.php uricontent:"/00000000000000000000000000000000/ff.php"; |---------------------| Building Rule: 2016723 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- ^\/[0-9a-f]{16}\/ff\.php$ uricontent:"/0000000000000000/ff.php"; |---------------------| Building Rule: 2016724 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- ^\/[0-9a-f]{16}\/ff\.php uricontent:"/0000000000000000/ff.php"; |---------------------| Building Rule: 2016725 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- \/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$ uricontent:"/?000000000000000000000000000000000000000000000000000000000000;0;0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; uricontent:"/?000000000000000000000000000000000000000000000000000000000000;0;0"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2016727 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 32 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016728 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 53 56 32 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016729 -------- Hex Payload Start ---------- 65 75 6c 61 76 20 20 65 6d 61 6e 20 20 6d 61 72 61 70 3c 20 74 65 6c 70 70 61 --------- Hex Payload End ----------- \.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]*&bot_id= uricontent:".php?id=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa&os=0.0&bot_id="; |---------------------| Building Rule: 2016731 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?id=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa-0&gr"; |---------------------| Building Rule: 2016732 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016733 -------- Hex Payload Start ---------- 0d 0a 0d 0a 74 3d c0 19 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016734 -------- Hex Payload Start ---------- 61 70 70 6c 65 74 20 38 73 73 26 32 39 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016735 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016736 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- ^(ckwm)*?(Exp|cc)\.class NOT IMPL not _simple(av) in REPEATING CODES content:"Exp.class"; |---------------------| Building Rule: 2016737 -------- Hex Payload Start ---------- 63 6b 77 6d 20 45 78 70 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016738 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016739 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016740 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016741 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016743 -------- Hex Payload Start ---------- 66 69 6c 65 6e 61 6d 65 3d 22 25 32 65 2f 66 69 6c 65 73 2f 63 6f 6e 66 2e 62 69 6e 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016744 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016746 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5b 69 6e 73 74 61 6c 6c 20 31 5d 20 49 6e 73 3d --------- Hex Payload End ----------- ^\/[a-z0-9]+$ uricontent:"/a"; |---------------------| Building Rule: 2016748 -------- Hex Payload Start ---------- 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 72 75 3b 47 65 63 6b 6f 2f 32 30 31 30 30 37 32 32 20 46 69 72 65 66 6f 78 2f 33 2e 36 2e 31 32 0d 0a 48 6f 73 74 3a --------- Hex Payload End ----------- \/[a-z0-9]+$ uricontent:"/a"; |---------------------| Building Rule: 2016749 -------- Hex Payload Start ---------- 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b --------- Hex Payload End ----------- ^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash) Parser failed - skipping rule \x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*? NOT IMPL Groupref NOT IMPL Groupref content:"(aaaaaaaaaaaaaaaaaaaaaaaa,a"; |---------------------| Building Rule: 2016756 -------- Hex Payload Start ---------- 50 6c 75 67 69 6e 44 65 74 65 63 74 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 66 75 6e 63 74 69 6f 6e 20 28 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 2c 61 --------- Hex Payload End ----------- ^\/c[a-z0-9]+$ uricontent:"/ca"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; uricontent:"/ca"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016753; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: 2016754 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6d 79 69 70 2e 64 6e 73 6f 6d 61 74 69 63 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- ^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016758 -------- Hex Payload Start ---------- 50 4f 53 54 20 58 2d 4d 69 6e 69 6e 67 2d 45 78 74 65 6e 73 69 6f 6e 73 3a --------- Hex Payload End ----------- ^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n NOT IMPL Groupref content:"POST /aaaaa.php HTTP0 Host: a.net "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016760 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 50 48 50 53 68 65 6c 6c 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016761 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016762 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES content:"GET /0/0 HTTP/1.1 User-Agent: http://# Host: "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016765 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016766 -------- Hex Payload Start ---------- 76 61 72 20 50 44 46 4f 62 6a 65 63 74 3d --------- Hex Payload End ----------- ^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a content:"AA|Aa}AA "; |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Enchanim Check-in Response"; flow:established,to_client; content:"|0d 0a 0d 0a|"; content:"|3a|some_magic_code1"; distance:9; within:29; isdataat:!1,relative; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2016770 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016771 -------- Hex Payload Start ---------- 73 65 74 5f 75 72 6c 20 0d 0a 64 61 74 61 5f 62 65 66 6f 72 65 0d 0a 0d 0a 64 61 74 61 5f 65 6e 64 0d 0a 0d 0a 64 61 74 61 5f 69 6e 6a 65 63 74 0d 0a 0d 0a 64 61 74 61 5f 65 6e 64 0d 0a 0d 0a 64 61 74 61 5f 61 66 74 65 72 0d 0a 0d 0a 64 61 74 61 5f 65 6e 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016772 -------- Hex Payload Start ---------- 73 6f 6d 65 5f 6d 61 67 69 63 5f 63 6f 64 65 31 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO Generic HTTP EXE Upload Inbound"; flow:established,to_server; content:"POST"; http_method; nocase; content:"MZ"; http_client_body; content:"|00 00 00 00|"; http_client_body; distance:0; content:"PE|00 00|"; http_client_body; fast_pattern; distance:0; classtype:misc-activity; sid:2016774; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic HTTP EXE Upload Outbound"; flow:established,to_server; content:"POST"; http_method; nocase; content:"MZ"; http_client_body; content:"|00 00 00 00|"; http_client_body; distance:0; content:"PE|00 00|"; http_client_body; fast_pattern; distance:0; classtype:misc-activity; sid:2016775; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016778 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 70 77 00 20 00 --------- Hex Payload End ----------- \.php\?get[^=]*=\d_\d{5,}$ uricontent:".php?get=0_00000"; |---------------------| Building Rule: 2016779 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016780 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 69 6e 33 32 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016781 -------- Hex Payload Start ---------- 4f 44 26 3a 78 39 54 36 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2016922; rev:10;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016784 -------- Hex Payload Start ---------- 66 6c 61 73 68 70 6c 61 79 65 72 31 31 5f 20 0d 0a 0d 0a 4d 5a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016785 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 6a 61 76 61 78 2f 63 72 79 70 74 6f 2f 73 70 65 63 2f 53 65 63 72 65 74 4b 65 79 53 70 65 63 --------- Hex Payload End ----------- \/[0-9]{4}\.html$ uricontent:"/0000.html"; |---------------------| Building Rule: 2016786 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10}) NOT IMPL not _simple(av) in REPEATING CODES content:"="%AA"; |---------------------| Building Rule: 2016791 -------- Hex Payload Start ---------- 76 61 6c 75 65 20 3d 22 25 41 41 76 61 72 20 50 6c 75 67 69 6e 44 65 74 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \?[0-9a-f]{6}$ uricontent:"?000000"; |---------------------| Building Rule: 2016794 -------- Hex Payload Start ---------- 53 45 43 49 44 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016795 Protocol Not Supported |---------------------| Building Rule: 2016796 -------- Hex Payload Start ---------- 58 31 39 68 63 48 42 73 5a 58 52 66 63 33 4e 32 58 33 5a 68 62 47 6c 6b 59 58 52 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2016797 -------- Hex Payload Start ---------- 3c 6a 6e 6c 70 20 5f 5f 61 70 70 6c 65 74 5f 73 73 76 5f 76 61 6c 69 64 61 74 65 64 --------- Hex Payload End ----------- ^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jnlp"; |---------------------| Building Rule: 2016798 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.swf"; |---------------------| Building Rule: 2016799 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016802 -------- Hex Payload Start ---------- 20 20 61 70 69 2e 6d 79 6f 62 66 75 73 63 61 74 65 2e 63 6f 6d 0d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016803 -------- Hex Payload Start ---------- 58 2d 53 69 6e 6b 68 6f 6c 65 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016804 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016805 -------- Hex Payload Start ---------- 55 41 43 44 69 73 61 62 6c 65 4e 6f 74 69 66 79 --------- Hex Payload End ----------- ^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27] content:"Base64.decode(""; |---------------------| Building Rule: 2016807 -------- Hex Payload Start ---------- 42 61 73 65 36 34 2e 64 65 63 6f 64 65 20 65 76 61 6c 28 20 42 61 73 65 36 34 2e 64 65 63 6f 64 65 28 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016808 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/[a-z-_]{75,}\.php$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php"; |---------------------| Building Rule: 2016809 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016806 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 20 2a 2e 74 6f 72 32 77 65 62 2e --------- Hex Payload End ----------- ^(?:sh|lu|to) content:""; |---------------------| Building Rule: 2016810 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 20 2a 2e 6f 6e 69 6f 6e 2e 20 --------- Hex Payload End ----------- ^\/[a-z0-9]{1,4}\.jnlp$ uricontent:"/a.jnlp"; |---------------------| Building Rule: 2016811 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016812 -------- Hex Payload Start ---------- 55 04 08 13 05 4f 63 65 61 6e --------- Hex Payload End ----------- &jopa=\d+$ uricontent:"&jopa=0"; |---------------------| Building Rule: 2016813 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016817 -------- Hex Payload Start ---------- 39 66 59 58 42 77 62 47 56 30 58 33 4e 7a 64 6c 39 32 59 57 78 70 5a 47 46 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016818 -------- Hex Payload Start ---------- 66 58 32 46 77 63 47 78 6c 64 46 39 7a 63 33 5a 66 64 6d 46 73 61 57 52 68 64 47 56 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2016819 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016820 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016821 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- ^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null) content:"="""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; content:".offsetParent"; nocase; content:"="""; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern:only; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2016823 -------- Hex Payload Start ---------- 3a 20 4f 70 65 72 61 2f 31 30 20 20 20 --------- Hex Payload End ----------- ^[\r\n\s]*?\x28[^\x29]*?shellcode content:"(shellcode"; |---------------------| Building Rule: 2016824 -------- Hex Payload Start ---------- 6d 73 74 69 6d 65 5f 6d 61 6c 6c 6f 63 20 28 73 68 65 6c 6c 63 6f 64 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016825 -------- Hex Payload Start ---------- 51 32 39 73 62 47 56 6a 64 45 64 68 63 6d 4a 68 5a 32 55 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016826 -------- Hex Payload Start ---------- 4e 76 62 47 78 6c 59 33 52 48 59 58 4a 69 59 57 64 6c 4b --------- Hex Payload End ----------- |---------------------| Building Rule: 2016827 -------- Hex Payload Start ---------- 44 62 32 78 73 5a 57 4e 30 52 32 46 79 59 6d 46 6e 5a 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016828 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- \/[a-z]\/$ uricontent:"/a/"; |---------------------| Building Rule: 2016829 -------- Hex Payload Start ---------- 50 4f 53 54 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 28 43 6f 6d 70 61 74 69 62 6c 65 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2016830 -------- Hex Payload Start ---------- 30 30 3a 30 30 3a 30 30 3b 20 70 61 74 68 3d 2f 22 3b 76 61 72 20 6a 3d 30 3b 20 77 68 69 6c 65 28 6a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016831 -------- Hex Payload Start ---------- 55 6e 69 6f 6e 31 2e 63 6c 61 73 73 20 55 6e 69 6f 6e 32 2e 63 6c 61 73 73 20 53 79 73 74 65 6d 43 6c 61 73 73 2e 63 6c 61 73 73 20 50 6f 43 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016832 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016833 -------- Hex Payload Start ---------- 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 74 69 6d 65 20 23 64 65 66 61 75 6c 74 23 74 69 6d 65 32 20 3c 74 3a 41 4e 49 4d 41 54 45 43 4f 4c 4f 52 20 65 76 61 6c 28 --------- Hex Payload End ----------- ^[^\r\n]*?\x60[^\x60]*?\$\{IFS\} content:"`${IFS}"; |---------------------| Building Rule: 2016835 -------- Hex Payload Start ---------- 24 7b 49 46 53 7d 20 6d 61 69 6c 20 66 72 6f 6d 3a 20 60 24 7b 49 46 53 7d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016836 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Alina Checkin"; flow: established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"User-Agent|3a| Alina v"; http_header; content:"act="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; content:"&v="; http_client_body; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016837; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2016838 -------- Hex Payload Start ---------- 50 4f 53 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 6c 69 6e 61 20 76 --------- Hex Payload End ----------- \/[a-f0-9]+\.zip$ uricontent:"/a.zip"; |---------------------| Building Rule: 2016839 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- ^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q) NOT IMPL Groupref content:"="aaaaaaaaa.jar"; |---------------------| Building Rule: 2016840 -------- Hex Payload Start ---------- 6a 6e 6c 70 5f 65 6d 62 65 64 64 65 64 20 3c 2f 61 70 70 6c 65 74 3e 20 3c 61 70 70 6c 65 74 61 72 63 68 69 76 65 20 3d 22 61 61 61 61 61 61 61 61 61 2e 6a 61 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion path disclosure to get the absolute path"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/administrator/analyzer/index.cfm"; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,www.exploit-db.com/exploits/25305/; classtype:web-application-attack; sid:2016841; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2016842 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016843 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/downloads\/IPFilter\.exe$ uricontent:"/downloads/IPFilter.exe"; |---------------------| Building Rule: 2016844 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 49 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016845 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 54 50 69 6e 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017349 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- \.xpi$ uricontent:".xpi"; |---------------------| Building Rule: 2016846 -------- Hex Payload Start ---------- 20 20 46 69 72 65 66 6f 78 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2016847 -------- Hex Payload Start ---------- 20 20 43 68 72 6f 6d 65 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2016848 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- ^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n? content:"AA-XP-A}A "; |---------------------| Building Rule: 2016849 -------- Hex Payload Start ---------- 4e 49 43 4b 20 4e 65 77 7b 20 41 41 2d 58 50 2d 41 7d 41 0d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016850 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016851 -------- Hex Payload Start ---------- 69 6e 67 64 78 2e 68 74 6d 41 7b 69 70 7d --------- Hex Payload End ----------- |---------------------| Building Rule: 2016852 -------- Hex Payload Start ---------- 71 56 37 2f 3b 70 46 --------- Hex Payload End ----------- ^\/[a-z][a-z0-9]+$ uricontent:"/aa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; uricontent:"/aa"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016853; rev:15;) Parser failed - skipping rule |---------------------| Building Rule: 2016854 -------- Hex Payload Start ---------- 0d 0a 0d 0a 4d 5a 54 68 69 73 20 70 72 6f 67 72 61 6d 64 65 78 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016855 -------- Hex Payload Start ---------- 0d 0a 0d 0a 4d 5a 54 68 69 73 20 70 72 6f 67 72 61 6d 50 4b 03 63 6c 61 73 73 65 73 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016856 -------- Hex Payload Start ---------- 0d 0a 0d 0a 64 65 78 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016859 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2016861 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016862 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 65 6e 64 66 69 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016863 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016864 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 50 48 54 54 50 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016865 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 4d 53 46 52 54 43 42 56 44 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; content:".php"; http_uri; content:"User-Agent|3a| MyHttpClient"; http_header; content:"tit="; fast_pattern; depth:4; http_client_body; content:"&cont="; http_client_body; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016866; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016868 -------- Hex Payload Start ---------- 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 78 6f 72 28 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 20 50 6c 75 67 69 6e 44 65 74 65 63 74 2e 67 65 74 56 65 72 73 69 6f 6e --------- Hex Payload End ----------- ^\/[a-f0-9]{16}$ uricontent:"/aaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; uricontent:"/aaaaaaaaaaaaaaaa"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016881 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 4d 42 56 44 46 52 45 53 43 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016882 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 53 4d 42 56 43 54 46 52 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016883 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 42 45 53 43 56 44 46 52 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016884 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 43 42 46 52 56 44 45 4d 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016885 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 45 4d 4f 4d 41 4b 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016886 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 45 4d 4f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016887 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 50 48 54 54 50 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016888 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 65 6e 64 46 69 6c 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016891 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 76 62 75 73 65 72 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016892 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 66 6f 6c 64 65 72 77 69 6e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016893 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 6d 61 61 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016894 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6e 65 6e 74 6f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016895 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 62 75 67 6d 61 61 6c 0d 0a --------- Hex Payload End ----------- &b=[a-f0-9]{7}&k=[a-f0-9]{32} uricontent:"&b=aaaaaaa&k=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2016896 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \/gate\.php\?reg=([a-z]{10}|[A-Za-z]{15})$ uricontent:"/gate.php?reg=aaaaaaaaaa"; |---------------------| Building Rule: 2016899 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- \/gate\.php\?cmd=getinstallconfig$ uricontent:"/gate.php?cmd=getinstallconfig"; |---------------------| Building Rule: 2016902 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016903 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 4d 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016904 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 68 69 6c 6b 61 74 55 70 6c 6f 61 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016905 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 4d 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016906 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 4d 52 --------- Hex Payload End ----------- \/gate\.php\?id=[a-z]{15}$ uricontent:"/gate.php?id=aaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2016909 -------- Hex Payload Start ---------- 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 53 79 6e 61 70 73 65 29 20 2e --------- Hex Payload End ----------- \/get$ uricontent:"/get"; |---------------------| Building Rule: 2016910 -------- Hex Payload Start ---------- 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 53 79 6e 61 70 73 65 29 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2016911 Error here within! -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 20 20 20 20 20 20 20 20 4d 53 49 45 20 20 48 6f 73 74 3a 20 75 70 64 61 74 65 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016914 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6d 61 72 74 2d 52 54 50 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016915 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6d 61 72 74 2d 52 54 50 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016916 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 75 73 74 6f 6d 5f 35 36 35 36 32 5f 48 74 74 70 43 6c 69 65 6e 74 2f 56 45 52 5f 53 54 52 5f 43 4f 4d 4d 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016917 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016919 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016920 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2016923 -------- Hex Payload Start ---------- 67 6f 6e 61 67 45 78 70 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016924 -------- Hex Payload Start ---------- 32 30 31 33 30 34 32 32 2e 63 6c 61 73 73 --------- Hex Payload End ----------- ^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class content:".class"; |---------------------| Building Rule: 2016925 -------- Hex Payload Start ---------- 41 70 70 6c 65 74 4f 62 6a 65 63 74 2e 63 6f 64 65 47 6f 6e 64 20 2e 63 6c 61 73 73 --------- Hex Payload End ----------- ^((?!<\/applet>).)+?[\x22\x27]1337\.exe NOT IMPL not _simple(av) in REPEATING CODES content:""1337.exe"; |---------------------| Building Rule: 2016926 -------- Hex Payload Start ---------- 31 33 33 37 2e 65 78 65 20 3c 41 50 50 4c 45 54 20 22 31 33 33 37 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016927 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 77 65 43 61 6d 65 46 72 6f 6d 48 65 6c 6c 28 73 70 61 77 41 6e 79 6f 6e 65 28 --------- Hex Payload End ----------- ^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func) Parser failed - skipping rule \/FlashPlayer\.cpl$ uricontent:"/FlashPlayer.cpl"; |---------------------| Building Rule: 2016929 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016930 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- \.php\?jnlp=[a-f0-9]{10}(,|$) uricontent:".php?jnlp=aaaaaaaaaa,"; |---------------------| Building Rule: 2016931 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- meta=(?:id=)?[a-z]+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"meta=a"; |---------------------| Building Rule: 2016932 -------- Hex Payload Start ---------- 20 20 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2016934 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 61 6e 74 61 73 69 61 0d 0a --------- Hex Payload End ----------- \bSELECT.*?\bSLEEP uricontent:"SELECTSLEEP"; |---------------------| Building Rule: 2016935 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016936 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016938 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016939 -------- Hex Payload Start ---------- 47 45 54 20 2e 70 68 70 3f 54 3d 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 54 65 73 6c 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016940 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 --------- Hex Payload End ----------- ^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C NOT IMPL not _simple(av) in REPEATING CODES content:"="#">%AA%3C"; |---------------------| Building Rule: 2016942 -------- Hex Payload Start ---------- 3c 64 69 76 20 69 64 20 3d 22 00 22 3e 25 41 41 25 33 43 7b 76 65 72 73 69 6f 6e 3a 22 30 2e 38 2e 30 22 --------- Hex Payload End ----------- \/\d+\.pkg$ uricontent:"/0.pkg"; |---------------------| Building Rule: 2016943 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016944 -------- Hex Payload Start ---------- 2e 6e 65 74 37 38 2e 6e 65 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016945 -------- Hex Payload Start ---------- 0d 0a 0d 0a 58 23 3a d4 --------- Hex Payload End ----------- ^\/stat\/[a-z]{3,4}\/\d{1,4}$ uricontent:"/stat/aaa/0"; |---------------------| Building Rule: 2016946 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 1"; flow:established,to_client; content:"ci_session="; http_cookie; content:"|0d 0a 0d 0a|ne_unik"; fast_pattern; isdataat:!1,relative; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; content:"ci_session="; http_cookie; content:"|0d 0a 0d 0a|ok"; fast_pattern; isdataat:!1,relative; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2016949 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 37 35 20 5b 65 6e 5d 20 28 58 31 31 3b 20 55 3b 20 4c 69 6e 75 78 20 32 2e 32 2e 31 36 2d 33 20 69 36 38 36 29 0d 0a 20 3a 38 30 0d 0a --------- Hex Payload End ----------- ip\.txt$ uricontent:"ip.txt"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; content:"/ip.txt"; http_uri; nocase; fast_pattern:only; uricontent:"ip.txt"; pcre:"/^User-Agent\x3a(?!\x20Mozilla\/)[^\r\n]+\r?$/Hm"; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:2;) Parser failed - skipping rule ^\/[0-9a-f]{32}\.html$ uricontent:"/00000000000000000000000000000000.html"; |---------------------| Building Rule: 2016952 -------- Hex Payload Start ---------- 20 47 45 54 20 52 65 66 65 72 65 72 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016953 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; content:"memberAccess"; http_client_body; nocase; content:"allowStaticMethodAccess"; http_client_body; nocase; classtype:attempted-user; sid:2016954; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2016956 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; content:"java.io.FileOutputStream"; http_client_body; nocase; content:".write"; distance:0; nocase; http_client_body; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2016959 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018765 -------- Hex Payload Start ---------- 47 45 54 20 53 77 69 7a 7a 30 33 72 20 44 6f 77 6e 6c 6f 61 64 20 41 67 65 6e 74 --------- Hex Payload End ----------- &p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$ uricontent:"&p=0.0.0.0&j=0.0.0.0&f=0.0.0.0"; |---------------------| Building Rule: 2016964 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$ uricontent:"/j_a_.jar"; |---------------------| Building Rule: 2016965 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016966 -------- Hex Payload Start ---------- 61 35 63 68 5a 65 76 21 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016967 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016969 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016970 -------- Hex Payload Start ---------- 0d 0a 0d 0a f2 fd 90 00 bc a7 00 00 --------- Hex Payload End ----------- \.txt\?f=\d+$ uricontent:".txt?f=0"; |---------------------| Building Rule: 2016976 -------- Hex Payload Start ---------- 2e 74 78 74 3f 66 3d 20 2e --------- Hex Payload End ----------- \ballow_url_include\s*?= uricontent:"allow_url_include="; |---------------------| Building Rule: 2016977 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \bsafe_mode\s*?= uricontent:"safe_mode="; |---------------------| Building Rule: 2016978 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \bsuhosin\.simulation\s*?= uricontent:"suhosin.simulation="; |---------------------| Building Rule: 2016979 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \bdisable_functions[\s\+]*?= uricontent:"disable_functions="; |---------------------| Building Rule: 2016980 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \bopen_basedir\s*?= uricontent:"open_basedir="; |---------------------| Building Rule: 2016981 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \bauto_prepend_file\s*?= uricontent:"auto_prepend_file="; |---------------------| Building Rule: 2016982 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/phppath\/php\b uricontent:"/phppath/php"; |---------------------| Building Rule: 2016983 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016984 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018558 Error here within! -------- Hex Payload Start ---------- 00 ff 20 00 00 00 --------- Hex Payload End ----------- \.gif\x3f[0-9a-f]{4,8}\x3d\x2d?\d+(?:&id\x3d\d+)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".gif?0000=0"; |---------------------| Building Rule: 2018340 Error here depth! -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 74 2e --------- Hex Payload End ----------- ^\x2Ftmp\x2F.+\x2Eexe$ uricontent:"/tmp/0.exe"; |---------------------| Building Rule: 2016985 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2016986 -------- Hex Payload Start ---------- c4 4c 87 3f 11 1e c4 1a --------- Hex Payload End ----------- |---------------------| Building Rule: 2016987 -------- Hex Payload Start ---------- ac 09 7b 09 4b 2a 92 bd ac 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016988 -------- Hex Payload Start ---------- ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016989 -------- Hex Payload Start ---------- ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2016990 -------- Hex Payload Start ---------- ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Alina Server Response Code"; flow: established,from_server; content:" 666 OK|0d 0a|"; fast_pattern:only; content:"666"; http_stat_code; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - *.tar.gz in POST body"; flow:established,to_server; content:".tar.gz"; nocase; http_client_body; classtype:bad-unknown; sid:2016992; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017006 -------- Hex Payload Start ---------- 53 63 72 69 70 74 42 72 69 64 67 65 2e 53 63 72 69 70 74 42 72 69 64 67 65 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 2f 00 76 00 77 00 2e 00 70 00 68 00 70 00 3f 00 69 00 3d --------- Hex Payload End ----------- \/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$ uricontent:"/vw.php?i=a-a"; |---------------------| Building Rule: 2017007 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017008 -------- Hex Payload Start ---------- 89 50 4e 47 0d 0a 1a 0a 49 48 44 52 20 20 20 20 20 20 20 20 20 20 20 20 20 74 45 58 74 64 62 2e 70 68 70 3f 6a 3d 20 6d 73 6e 6d 75 73 61 78 2e 6e 69 6e 6e --------- Hex Payload End ----------- \.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$ uricontent:".php?a_info=a_0"; |---------------------| Building Rule: 2017002 -------- Hex Payload Start ---------- 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017003 -------- Hex Payload Start ---------- 53 68 69 70 6d 65 6e 74 5f 4c 61 62 65 6c 2e 7a 69 70 20 0d 0a 0d 0a 50 4b 2e 65 78 65 --------- Hex Payload End ----------- ^\/[a-z0-9]{3,}\/upload\/img\.jpg$ uricontent:"/aaa/upload/img.jpg"; |---------------------| Building Rule: 2017004 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; content:"xp_cmdshell"; nocase; http_client_body; fast_pattern:only; classtype:bad-unknown; sid:2017010; rev:3;) Parser failed - skipping rule \/\d+\/\d\.zip$ uricontent:"/0/0.zip"; |---------------------| Building Rule: 2017011 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- \/jvm\.dll$ uricontent:"/jvm.dll"; |---------------------| Building Rule: 2017012 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017013 -------- Hex Payload Start ---------- 3c 6a 6e 6c 70 20 69 6e 69 74 69 61 6c 2d 68 65 61 70 2d 73 69 7a 65 20 6d 61 78 2d 68 65 61 70 2d 73 69 7a 65 20 2d 58 58 61 6c 74 6a 76 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017014 -------- Hex Payload Start ---------- 6a 6e 6c 70 5f 65 6d 62 65 64 64 65 64 20 36 75 32 37 2e 6a 61 72 20 36 75 34 31 2e 6a 61 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017015 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 18 2a 2e 64 72 6f 70 62 6f 78 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017016 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017017 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017018 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017019 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 20 --------- Hex Payload End ----------- &k=\d{16}(&|$) uricontent:"&k=0000000000000000&"; |---------------------| Building Rule: 2017020 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 --------- Hex Payload End ----------- ^\/999$ uricontent:"/999"; |---------------------| Building Rule: 2017021 -------- Hex Payload Start ---------- 20 47 45 54 20 2e 20 2e 30 0d 0a 48 6f 73 74 --------- Hex Payload End ----------- =(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"=3a3133"; |---------------------| Building Rule: 2017022 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$ uricontent:".php?hash=I3QxWA"; |---------------------| Building Rule: 2017023 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017025 -------- Hex Payload Start ---------- 55 73 65 72 20 61 63 63 6f 75 6e 74 73 20 66 6f 72 20 5c 5c 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017026 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 45 58 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017027 -------- Hex Payload Start ---------- 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 63 73 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- ^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$ uricontent:"/0/red0.php"; |---------------------| Building Rule: 2017028 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017029 Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017031 Error here within! Error here within! -------- Hex Payload Start ---------- 2f 69 6e 69 66 72 61 6d 65 2f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 20 2f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017032 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017035 -------- Hex Payload Start ---------- 2c 35 33 2c 31 35 34 2c 31 37 30 2c 31 37 30 2c 31 36 34 2c 37 36 2c 36 33 2c 36 33 2c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017034 -------- Hex Payload Start ---------- 72 65 70 6f 72 74 5f 61 6e 64 5f 67 65 74 5f 65 78 70 6c 6f 69 74 73 28 5f 30 78 --------- Hex Payload End ----------- \.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?a=a&a="; |---------------------| Building Rule: 2017036 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 3a 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 53 49 45 20 36 2e 30 3b 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017038 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017039 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- \.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?v=1."; |---------------------| Building Rule: 2017040 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017041 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017042 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017043 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017044 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e 36 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017046 -------- Hex Payload Start ---------- 2d 67 65 74 20 68 74 74 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017047 -------- Hex Payload Start ---------- 2d 70 6f 73 74 31 20 68 74 74 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017048 -------- Hex Payload Start ---------- 2d 70 6f 73 74 32 20 68 74 74 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017049 -------- Hex Payload Start ---------- 2d 69 70 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017050 -------- Hex Payload Start ---------- 2d 69 70 32 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017051 -------- Hex Payload Start ---------- 2d 75 64 70 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017052 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 a1 60 33 9a 8a 1b 3b c0 d1 ab 95 6c f9 88 55 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017053 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 b8 ab f4 15 03 37 17 b7 41 32 d5 03 b6 ea 38 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; content:"|7F|ELF"; http_client_body; classtype:bad-unknown; sid:2017054; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017055 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 20 3a 03 31 30 4f 4b 3a 03 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017056 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 20 3a 5b 41 72 79 61 4e 5d 3a 20 20 64 6f 77 6e 6c 6f 61 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017057 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 44 6f 77 6e 6c 6f 61 64 20 61 6e 64 20 45 78 65 63 75 74 65 20 53 63 68 65 64 75 6c 65 64 20 5b 46 69 6c 65 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017058 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 46 6c 6f 6f 64 3a 20 53 74 61 72 74 65 64 20 5b 54 79 70 65 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017059 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 42 6f 74 6b 69 6c 6c 3a 20 43 79 63 6c 65 64 20 6f 6e 63 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017060 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 5f 76 3d 20 64 65 6c 65 74 65 69 64 3d --------- Hex Payload End ----------- \bsolusvmc-node\b content:"solusvmc-node"; |---------------------| Building Rule: 2017061 -------- Hex Payload Start ---------- 73 6f 6c 75 73 76 6d 63 2d 6e 6f 64 65 20 73 6f 6c 75 73 76 6d 63 2d 6e 6f 64 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017063 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 6e 61 6d 65 3d 61 63 74 69 6f 6e 6e 61 6d 65 3d 61 63 74 69 6f 6e 6e 61 6d 65 3d 61 63 74 69 6f 6e --------- Hex Payload End ----------- ^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#) NOT IMPL not _simple(av) in REPEATING CODES content:"&#;"; |---------------------| Building Rule: 2017064 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 20 26 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017065 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- ^\x2F\x3Fwps\x3D[0-9]$ uricontent:"/?wps=0"; |---------------------| Building Rule: 2017068 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\x2Fclicker\x2Ephp$ uricontent:"/clicker.php"; |---------------------| Building Rule: 2017069 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+ NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"0.$_$_+"\\"+.__$+.$$_+.___+"\\"+.__$+.$$_+.___+(![]+"")[._$_]+.$$$_+.__+"; |---------------------| Building Rule: 2017070 -------- Hex Payload Start ---------- 2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 20 3c 22 2b 20 30 2e 24 5f 24 5f 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 24 24 5f 2b 2e 5f 5f 5f 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 24 24 5f 2b 2e 5f 5f 5f 2b 28 21 5b 5d 2b 22 22 29 5b 2e 5f 24 5f 5d 2b 2e 24 24 24 5f 2b 2e 5f 5f 2b --------- Hex Payload End ----------- ^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a) Parser failed - skipping rule |---------------------| Building Rule: 2017074 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 2e 2e 2f 6d 6f 69 6e 2e 77 73 67 69 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$ uricontent:"/a.php?a=0000000&a=0000000"; |---------------------| Building Rule: 2017078 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- \?(s|page|id)=\d+&text=\d+$ uricontent:"?s=0&text=0"; |---------------------| Building Rule: 2017079 -------- Hex Payload Start ---------- 47 45 54 20 29 20 4a 61 76 61 2f 31 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported (?<=(\?|&))pasa=(?!&). Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http any any -> any any (msg:"ET INFO ClearTextAuth - HTTP - http_client_body contains pasa form"; flow:established,to_server; content:"name=|22|pasa|22|"; http_client_body; classtype:policy-violation; sid:2017082; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017083 -------- Hex Payload Start ---------- 47 4f 44 20 48 61 63 6b 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017084 -------- Hex Payload Start ---------- 47 4f 44 53 70 79 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017085 -------- Hex Payload Start ---------- 67 6f 64 69 64 3d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; content:"dbhost="; http_client_body; content:"dbuser="; http_client_body; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017087 -------- Hex Payload Start ---------- 6e 61 6d 65 3d 22 68 61 7a 22 20 76 61 6c 75 65 3d 22 70 61 73 61 22 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSPy - Auth Creds"; flow:established,to_server; content:"ctr="; http_client_body; content:"haz=pasa"; http_client_body; classtype:trojan-activity; sid:2017088; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017089 -------- Hex Payload Start ---------- 50 6f 75 79 61 5f 53 65 72 76 65 72 20 53 68 65 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017090 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \.asp\?action=(?:txt(?:edit|view)|upload|info|del)(&|$) uricontent:".asp?action=&"; |---------------------| Building Rule: 2017091 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017094 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 07 06 10 00 00 00 00 00 00 00 00 20 20 00 00 20 20 20 20 20 20 00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017095 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 00 70 69 70 65 2e 63 6c 61 73 73 20 00 69 6e 63 2e 63 6c 61 73 73 20 00 66 64 70 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017096 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017097 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017098 -------- Hex Payload Start ---------- 4a 54 63 31 4a 54 59 33 4a 54 59 35 4a 54 5a 6c 4a 54 51 30 4a 54 59 31 4a 54 63 30 4a 54 59 31 4a 54 59 7a 4a 54 63 30 4a 54 4a 6c 4a 54 59 33 4a 54 59 31 4a 54 63 30 4a 54 55 32 4a 54 59 31 4a 54 63 79 4a 54 63 7a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017099 -------- Hex Payload Start ---------- 3c 74 3a 41 4e 49 4d 41 54 45 43 4f 4c 4f 52 20 4a 54 51 7a 4a 54 5a 6d 4a 54 5a 6a 4a 54 5a 6a 4a 54 59 31 4a 54 59 7a 4a 54 63 30 4a 54 51 33 4a 54 59 78 4a 54 63 79 4a 54 59 79 4a 54 59 78 4a 54 59 33 4a 54 59 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017100 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017101 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017102 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?) content:"#+a.substring##+a.substring##+a.substring#"; |---------------------| Building Rule: 2017106 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 20 20 3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 20 00 2b 61 2e 73 75 62 73 74 72 69 6e 67 00 00 2b 61 2e 73 75 62 73 74 72 69 6e 67 00 00 2b 61 2e 73 75 62 73 74 72 69 6e 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017107 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 73 77 66 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017108 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 72 69 73 70 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017111 -------- Hex Payload Start ---------- 48 54 54 50 5f 45 43 4d 44 45 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017112 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017113 -------- Hex Payload Start ---------- 61 64 61 62 65 75 70 64 61 74 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- (?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a) Parser failed - skipping rule ^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES Parser failed - skipping rule |---------------------| Building Rule: 2017117 -------- Hex Payload Start ---------- 63 47 52 77 5a 44 31 37 64 6d 56 79 63 32 6c 76 62 6a 6f 69 4d 43 34 --------- Hex Payload End ----------- ^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27] Parser failed - skipping rule \/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$ uricontent:"/aaa.php?a=aaaaaaaaaa"; |---------------------| Building Rule: 2017119 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- ((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID) NOT IMPL not _simple(av) in REPEATING CODES content:" Admin"; |---------------------| Building Rule: 2017120 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 06 12 20 0d 41 64 6d 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017121 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 06 13 20 20 20 20 20 20 20 20 20 20 20 0d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017122 -------- Hex Payload Start ---------- 57 41 52 4e 49 4e 47 21 20 59 6f 75 20 73 68 6f 75 6c 64 20 75 70 64 61 74 65 20 79 6f 75 72 20 46 6c 61 73 68 20 50 6c 61 79 65 72 20 49 6d 6d 65 64 69 61 74 65 6c 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017123 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017124 -------- Hex Payload Start ---------- 31 35 2c 31 35 2c 31 35 35 2c 31 35 32 2c 34 34 2c 35 34 --------- Hex Payload End ----------- ^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo> NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:" <fieldset </bdo>"; |---------------------| Building Rule: 2017133 -------- Hex Payload Start ---------- 3c 62 64 6f 20 0d 3c 66 69 65 6c 64 73 65 74 0d 3c 2f 62 64 6f 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017126 -------- Hex Payload Start ---------- 2e 73 75 62 73 74 72 69 6e 67 28 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 2e 73 75 62 73 74 72 69 6e 67 28 2e 73 75 62 73 74 72 69 6e 67 28 2e 73 75 62 73 74 72 69 6e 67 28 --------- Hex Payload End ----------- ^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:"],__$:++"; |---------------------| Building Rule: 2017127 -------- Hex Payload Start ---------- 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b 20 5d 2c 5f 5f 24 3a 2b 2b --------- Hex Payload End ----------- |---------------------| Building Rule: 2017128 -------- Hex Payload Start ---------- 50 4f 53 54 20 2e 4e 45 54 20 43 4c 52 20 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- ^[\r\n\s\+]*?=[\r\n\s\+]*?true content:"=true"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163"; flow:established,from_server; content:".contentEditable"; nocase; content:"=true"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:4;) Parser failed - skipping rule ^[\r\n\s\+]*?=[\r\n\s\+]*?true content:"=true"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; content:"CollectGarbage("; fast_pattern:only; nocase; content:".contentEditable"; nocase; content:"=true"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:3;) Parser failed - skipping rule \/vid\.aspx\?id=[a-zA-Z0-9]+$ uricontent:"/vid.aspx?id=a"; |---------------------| Building Rule: 2017131 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017134 -------- Hex Payload Start ---------- 0d 0a 0d 0a 47 49 46 38 39 61 20 3c 66 6f 72 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017135 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 56 61 6c 69 64 61 74 65 46 6f 72 6d 41 6f 6c 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017136 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017137 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 56 69 72 75 73 65 73 20 77 65 72 65 20 66 6f 75 6e 64 20 6f 6e 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- \/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jnlp"; |---------------------| Building Rule: 2017138 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$ uricontent:"/?AvoDc0RHa8NnZ"; |---------------------| Building Rule: 2017139 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$ uricontent:"/.php?A=A&A=A"; |---------------------| Building Rule: 2017140 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017141 -------- Hex Payload Start ---------- 34 43 4d 69 6f 6a 62 76 6c 32 63 79 56 6d 64 37 31 44 5a 77 52 47 63 --------- Hex Payload End ----------- [\n\r](?:content-(type|length)|set-cookie|location)\x3a uricontent:" :"; |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; content:"502"; http_stat_code; content:"Bad gateway"; http_stat_msg; content:"|0d 0a 0d 0a|Burp proxy error|3A 20|"; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:4;) Parser failed - skipping rule \/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$ uricontent:"/000000.js?000000&0000000000000000"; |---------------------| Building Rule: 2017149 Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- ^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\? content:"#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.exe?"; |---------------------| Building Rule: 2017151 -------- Hex Payload Start ---------- 2e 65 78 65 3f 20 3c 73 63 72 69 70 74 68 74 74 70 3a 2f 2f 20 00 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2e 65 78 65 3f --------- Hex Payload End ----------- ^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)? NOT IMPL not _simple(av) in REPEATING CODES content:"#.txt?e=0"; |---------------------| Building Rule: 2017150 -------- Hex Payload Start ---------- 2e 74 78 74 3f 65 3d 20 3c 73 63 72 69 70 74 68 74 74 70 3a 2f 2f 20 00 2e 74 78 74 3f 65 3d 30 --------- Hex Payload End ----------- ^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$ uricontent:"/aaaaaaaaa.jar"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit Jar URI Struct"; flow:established,to_server; content:" Java/1."; http_header; content:".jar"; http_uri; fast_pattern:only; uricontent:"/aaaaaaaaa.jar"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:trojan-activity; sid:2017152; rev:4;) Parser failed - skipping rule ^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$ uricontent:"/aaaaaaaaa.jnlp"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern:only; uricontent:"/aaaaaaaaa.jnlp"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:trojan-activity; sid:2017153; rev:2;) Parser failed - skipping rule [\?&]redirect\x3a uricontent:"?redirect:"; |---------------------| Building Rule: 2017155 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [\?&]redirectAction\x3a uricontent:"?redirectAction:"; |---------------------| Building Rule: 2017156 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [\?&]action\x3a uricontent:"?action:"; |---------------------| Building Rule: 2017157 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2017161 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 69 70 63 6c 69 2f --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2017162 -------- Hex Payload Start ---------- 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 69 70 63 6c 69 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a 0d 0a|PK"; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2017165 -------- Hex Payload Start ---------- 59 4f 55 52 20 42 52 4f 57 53 45 52 20 48 41 53 20 42 45 45 4e 20 4c 4f 43 4b 45 44 2e 5c 6e 5c 6e 41 4c 4c 20 50 43 20 44 41 54 41 20 57 49 4c 4c 20 42 45 20 44 45 54 41 49 4e 45 44 --------- Hex Payload End ----------- ^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27] content:"="#.zip""; |---------------------| Building Rule: 2017166 -------- Hex Payload Start ---------- 6a 71 75 65 72 79 2e 6a 73 61 72 63 68 69 76 65 20 3d 22 00 2e 7a 69 70 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017167 -------- Hex Payload Start ---------- 26 37 26 2e 79 22 3e 3c 2f 70 61 72 61 6d 3e 3c 2f 61 70 70 6c 65 74 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017172 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[0-9a-f]{6} content:"000000"; |---------------------| Building Rule: 2017177 Error here within! -------- Hex Payload Start ---------- 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 20 30 30 30 30 30 30 20 22 20 3e 0a 3c 61 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017178 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"PK##000000000000000000000000000000000000000000aaaaaaa/PK##000000000000000000"; |---------------------| Building Rule: 2017181 -------- Hex Payload Start ---------- 50 4b 01 02 20 50 4b 01 02 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 61 61 61 61 61 61 61 2f 50 4b 05 06 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017182 -------- Hex Payload Start ---------- 6a 6e 6c 70 5f 65 6d 62 65 64 64 65 64 3a 22 50 44 39 34 62 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017183 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 20 41 53 50 58 20 53 68 65 6c 6c 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017184 -------- Hex Payload Start ---------- 3c 21 2d 2d 30 63 30 38 39 36 2d 2d 3e 73 70 6c 69 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017185 -------- Hex Payload Start ---------- 23 30 63 30 38 39 36 23 73 70 6c 69 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017186 -------- Hex Payload Start ---------- 2f 2a 30 63 30 38 39 36 2a 2f 73 70 6c 69 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017187 -------- Hex Payload Start ---------- 3c 21 2d 2d 30 63 30 38 39 36 2d 2d 3e 73 70 6c 69 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017188 -------- Hex Payload Start ---------- 23 30 63 30 38 39 36 23 73 70 6c 69 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017189 -------- Hex Payload Start ---------- 2f 2a 30 63 30 38 39 36 2a 2f 73 70 6c 69 74 --------- Hex Payload End ----------- ^\/[^\x2f]+?\.exe$ uricontent:"/#.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kelihos.F exe Download 2"; flow:to_server,established; content:"GET"; http_method; urilen:<13; content:".exe"; fast_pattern:only; http_uri; uricontent:"/#.exe"; content:"User-Agent|3a| "; depth:12; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:".ru|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; distance:0; http_header; pcre:"/^User-Agent\x3a [^\r\n]+?\r\nHost\x3a [^\r\n]+?\.ru\r\nCache-Control\x3a no-cache\r\n$/H"; content:!"Accept"; http_header; content:!"Referer"; http_header; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:6;) Parser failed - skipping rule ^\/[^\x2f]+?\.htm$ uricontent:"/#.htm"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:<13; content:".htm"; fast_pattern:only; http_uri; uricontent:"/#.htm"; content:!"BridgitAgent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:trojan-activity; sid:2017191; rev:3;) Parser failed - skipping rule ^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f) NOT IMPL Groupref NOT IMPL Groupref Parser failed - skipping rule ^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f) NOT IMPL Groupref NOT IMPL Groupref Parser failed - skipping rule ^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f) NOT IMPL Groupref NOT IMPL Groupref Parser failed - skipping rule ^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f) NOT IMPL Groupref NOT IMPL Groupref Parser failed - skipping rule |---------------------| Building Rule: 2017196 Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017197 -------- Hex Payload Start ---------- 6a 6e 6c 70 50 44 39 34 62 57 77 67 64 6d 56 79 63 32 6c 76 62 6a 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017198 -------- Hex Payload Start ---------- 64 65 64 64 65 62 6d 65 5f 70 6c 6e 6a --------- Hex Payload End ----------- ^\/\d{2,}\.[a-z0-9]+$ uricontent:"/00.a"; |---------------------| Building Rule: 2017199 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017200 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6a 61 76 61 2d 61 72 63 68 69 76 65 0d 0a 20 53 75 6e 2c 20 32 38 20 4a 75 6c 20 32 30 30 32 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017201 -------- Hex Payload Start ---------- 6c 52 58 59 6b 6c 47 62 68 5a 33 58 32 4e 33 63 66 52 58 5a 73 42 48 63 68 39 31 58 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017202 -------- Hex Payload Start ---------- 64 65 74 61 64 69 6c 61 76 5f 76 73 73 5f 74 65 6c 70 70 61 5f 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017203 -------- Hex Payload Start ---------- 30 46 47 5a 70 78 57 59 32 39 6c 64 7a 4e 33 58 30 56 47 62 77 42 58 59 66 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017204 -------- Hex Payload Start ---------- 6b 56 47 64 68 52 57 61 73 46 6d 64 66 5a 33 63 7a 39 46 64 6c 78 47 63 77 46 32 58 66 --------- Hex Payload End ----------- [\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:" a=CreateObject("Wscript.Shell')0.run"; |---------------------| Building Rule: 2017205 -------- Hex Payload Start ---------- 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 20 2e 52 75 6e 20 0d 61 3d 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 27 29 30 2e 72 75 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017206 -------- Hex Payload Start ---------- 22 65 22 2b 22 76 61 6c 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017207 -------- Hex Payload Start ---------- 22 65 76 22 2b 22 61 6c 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017208 -------- Hex Payload Start ---------- 22 65 22 2b 22 76 22 2b 22 61 6c 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017209 -------- Hex Payload Start ---------- 22 65 22 2b 22 76 22 2b 22 61 22 2b 22 6c 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017210 -------- Hex Payload Start ---------- 22 65 76 22 2b 22 61 22 2b 22 6c 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017211 -------- Hex Payload Start ---------- 22 65 22 2b 22 76 61 22 2b 22 6c 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017212 -------- Hex Payload Start ---------- 27 65 27 2b 27 76 61 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017213 -------- Hex Payload Start ---------- 27 65 76 27 2b 27 61 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017214 -------- Hex Payload Start ---------- 27 65 76 61 27 2b 27 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017215 -------- Hex Payload Start ---------- 27 65 27 2b 27 76 27 2b 27 61 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017216 -------- Hex Payload Start ---------- 27 65 27 2b 27 76 27 2b 27 61 27 2b 27 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017217 -------- Hex Payload Start ---------- 27 65 76 27 2b 27 61 27 2b 27 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017218 -------- Hex Payload Start ---------- 27 65 27 2b 27 76 61 27 2b 27 6c 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017219 -------- Hex Payload Start ---------- 22 65 76 61 22 2b 22 6c 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017220 -------- Hex Payload Start ---------- 27 73 27 2b 27 70 6c 69 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017221 -------- Hex Payload Start ---------- 27 73 70 27 2b 27 6c 69 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017222 -------- Hex Payload Start ---------- 27 73 27 2b 27 70 27 2b 27 6c 69 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017223 -------- Hex Payload Start ---------- 27 73 70 6c 27 2b 27 69 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017224 -------- Hex Payload Start ---------- 27 73 70 27 2b 27 6c 27 2b 27 69 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017225 -------- Hex Payload Start ---------- 27 73 27 2b 27 70 6c 27 2b 27 69 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017226 -------- Hex Payload Start ---------- 27 73 27 2b 27 70 27 2b 27 6c 27 2b 27 69 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017227 -------- Hex Payload Start ---------- 27 73 70 6c 69 27 2b 27 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017228 -------- Hex Payload Start ---------- 27 73 70 27 2b 27 6c 27 2b 27 69 27 2b 27 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017229 -------- Hex Payload Start ---------- 27 73 70 27 2b 27 6c 69 27 2b 27 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017230 -------- Hex Payload Start ---------- 27 73 70 6c 27 2b 27 69 27 2b 27 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017231 -------- Hex Payload Start ---------- 27 73 27 2b 27 70 6c 69 27 2b 27 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017232 -------- Hex Payload Start ---------- 27 73 27 2b 27 70 27 2b 27 6c 27 2b 27 69 27 2b 27 74 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017233 -------- Hex Payload Start ---------- 22 73 22 2b 22 70 6c 69 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017234 -------- Hex Payload Start ---------- 22 73 70 22 2b 22 6c 69 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017235 -------- Hex Payload Start ---------- 22 73 22 2b 22 70 22 2b 22 6c 69 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017236 -------- Hex Payload Start ---------- 22 73 70 6c 22 2b 22 69 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017237 -------- Hex Payload Start ---------- 22 73 70 22 2b 22 6c 22 2b 22 69 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017238 -------- Hex Payload Start ---------- 22 73 22 2b 22 70 6c 22 2b 22 69 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017239 -------- Hex Payload Start ---------- 22 73 22 2b 22 70 22 2b 22 6c 22 2b 22 69 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017240 -------- Hex Payload Start ---------- 22 73 70 6c 69 22 2b 22 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017241 -------- Hex Payload Start ---------- 22 73 70 22 2b 22 6c 22 2b 22 69 22 2b 22 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017242 -------- Hex Payload Start ---------- 22 73 70 22 2b 22 6c 69 22 2b 22 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017243 -------- Hex Payload Start ---------- 22 73 70 6c 22 2b 22 69 22 2b 22 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017244 -------- Hex Payload Start ---------- 22 73 22 2b 22 70 6c 69 22 2b 22 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017245 -------- Hex Payload Start ---------- 22 73 22 2b 22 70 22 2b 22 6c 22 2b 22 69 22 2b 22 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017246 -------- Hex Payload Start ---------- 30 63 30 38 39 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017247 -------- Hex Payload Start ---------- 30 63 30 38 39 36 --------- Hex Payload End ----------- if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:"if0<"1#70<17"; |---------------------| Building Rule: 2017248 -------- Hex Payload Start ---------- 50 6c 75 67 69 6e 44 65 74 65 63 74 20 69 66 30 3c 22 31 00 37 30 3c 31 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017249 -------- Hex Payload Start ---------- 25 36 31 25 37 30 25 37 30 25 36 63 25 36 35 25 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017250 -------- Hex Payload Start ---------- 25 36 61 25 36 65 25 36 63 25 37 30 25 35 66 25 36 35 25 36 64 25 36 32 25 36 35 25 36 34 25 36 34 25 36 35 25 36 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017251 -------- Hex Payload Start ---------- 25 36 31 25 37 30 25 37 30 25 36 63 25 36 35 25 37 34 25 35 66 25 37 33 25 37 33 25 37 36 25 35 66 25 37 36 25 36 31 25 36 63 25 36 39 25 36 34 25 36 31 25 37 34 25 36 35 25 36 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017252 -------- Hex Payload Start ---------- 25 35 38 25 33 31 25 33 39 25 36 38 25 36 33 25 34 38 25 34 32 25 37 33 25 35 61 25 35 38 25 35 32 25 36 36 25 36 33 25 33 33 25 34 65 25 33 32 25 35 38 25 33 33 25 35 61 25 36 38 25 36 32 25 34 37 25 36 63 25 36 62 25 35 39 25 35 38 25 35 32 25 36 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017253 -------- Hex Payload Start ---------- 25 33 39 25 36 36 25 35 39 25 35 38 25 34 32 25 37 37 25 36 32 25 34 37 25 35 36 25 33 30 25 35 38 25 33 33 25 34 65 25 37 61 25 36 34 25 36 63 25 33 39 25 33 32 25 35 39 25 35 37 25 37 38 25 37 30 25 35 61 25 34 37 25 34 36 25 33 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017254 -------- Hex Payload Start ---------- 25 36 36 25 35 38 25 33 32 25 34 36 25 37 37 25 36 33 25 34 37 25 37 38 25 36 63 25 36 34 25 34 36 25 33 39 25 37 61 25 36 33 25 33 33 25 35 61 25 36 36 25 36 34 25 36 64 25 34 36 25 37 33 25 36 31 25 35 37 25 35 32 25 36 38 25 36 34 25 34 37 25 35 36 25 36 62 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017257 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\/[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{5}\/\d+\/\d{2}[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{3}\/$ uricontent:"/a/a00000/0/00a/a000/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Comfoo Checkin"; flow:established,to_server; content:"GET"; http_method; uricontent:"/a/a00000/0/00a/a000/"; pcre:"/^User-Agent\x3a[^\r\n]*?\x3bWindows/Hmi"; content:"|3b|Windows"; nocase; fast_pattern:only; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2017262; rev:4;) Parser failed - skipping rule ^\/d\/[a-z]+\d+\.jpg$ uricontent:"/d/a0.jpg"; |---------------------| Building Rule: 2017263 -------- Hex Payload Start ---------- 20 3a 20 48 6f 73 74 3a 20 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017265 Error here within! -------- Hex Payload Start ---------- 76 61 72 20 20 20 3d 20 22 20 2e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 22 20 5a 20 7a 20 5a 20 39 20 7a 20 39 20 20 26 20 31 35 29 20 3c 3c 20 34 29 --------- Hex Payload End ----------- ^\/[a-f0-9]{32}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CBReplay.P Ransomware"; flow:established,to_server; content:"MSIE 9.0|3b|"; fast_pattern:only; http_header; content:!"Accept|3a|"; http_header; content:"User-Agent|3a|"; depth:11; http_header; urilen:33; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s[^\r\n]+\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n(\r\n)?$/Hi"; classtype:trojan-activity; sid:2017269; rev:2;) Parser failed - skipping rule ^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27] content:"="http://#/?A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""; |---------------------| Building Rule: 2017270 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 20 76 61 6c 75 65 20 3d 22 68 74 74 70 3a 2f 2f 00 2f 3f 41 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 22 --------- Hex Payload End ----------- ^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\) NOT IMPL Groupref content:""#".replace(/0/g,%)"; |---------------------| Building Rule: 2017271 -------- Hex Payload Start ---------- 50 6c 75 67 69 6e 44 65 74 65 63 74 2e 67 65 74 56 65 72 73 69 6f 6e 20 75 6e 65 73 63 61 70 65 28 20 22 00 22 2e 72 65 70 6c 61 63 65 28 2f 30 2f 67 2c 25 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017272 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017273 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- ^\x2Flts\x2Etxt$ uricontent:"/lts.txt"; |---------------------| Building Rule: 2017274 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017275 -------- Hex Payload Start ---------- 3c 72 65 70 6f 20 3c 64 75 64 70 3e 20 3c 2f 64 75 64 70 3e 20 3c 70 75 64 70 3e 20 3c 2f 70 75 64 70 3e 20 3c 74 62 64 3e 20 3c 64 6f 6d 3e 20 3c 2f 64 6f 6d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017276 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 0d 0a --------- Hex Payload End ----------- \/\$\{[^\}\x2c]+?= uricontent:"/${#="; |---------------------| Building Rule: 2017277 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ${\s*?%{ uricontent:"{%{"; |---------------------| Building Rule: 2017278 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017279 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 57 56 65 72 73 69 6f 6e 54 65 73 74 41 67 65 6e 74 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017280 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017281 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 70 64 61 74 65 0d 0a 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017282 -------- Hex Payload Start ---------- 0d 0a 0d 0a 23 40 7e 5e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017283 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 6e 65 74 20 75 73 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017284 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 6e 65 74 20 6c 6f 63 61 6c 67 72 6f 75 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017285 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 6e 65 74 20 2f 61 64 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017286 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 6e 65 74 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017287 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 69 70 63 6f 6e 66 69 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017288 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 72 65 67 20 20 48 4b 45 59 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017289 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 54 68 65 20 63 6f 6d 6d 61 6e 64 20 63 6f 6d 70 6c 65 74 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017290 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 20 20 3c 44 49 52 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017291 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017292 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 57 69 6e 64 6f 77 73 20 49 50 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; content:"4d5a"; nocase; http_client_body; content:"50450000"; distance:0; http_client_body; classtype:bad-unknown; sid:2017293; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017294 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 70 6c 61 74 66 6f 72 6d 64 6c 2e 61 64 6f 62 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- (?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017298 -------- Hex Payload Start ---------- 77 69 6e 64 6f 77 2e 73 74 6f 70 28 20 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 20 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 72 65 61 64 79 73 74 61 74 65 63 68 61 6e 67 65 20 41 72 72 61 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017299 -------- Hex Payload Start ---------- 66 69 6c 65 6e 61 6d 65 3d 61 70 70 2e 6a 61 72 0d 0a 20 0d 0a 0d 0a 50 4b ca fe ba be --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017301 -------- Hex Payload Start ---------- 55 6e 61 62 6c 65 20 74 6f 20 66 69 6e 64 20 22 20 50 6c 65 61 73 65 20 43 6c 69 63 6b 20 48 65 72 65 20 74 6f 20 69 6e 73 74 61 6c 6c 2e 2e 2e 2e 2e 2e --------- Hex Payload End ----------- findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$ uricontent:"findloader.php?a=#"; |---------------------| Building Rule: 2017302 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017303 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 2d 72 77 2d 72 2d 2d 72 2d 2d --------- Hex Payload End ----------- ^\/([a-z0-9+]+?\/){3}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Win32/Cridex Checkin"; flow:to_server,established; content:"POST"; http_method; uricontent:"/"; content:"Accept|3a| */*|0d 0a|Host|3a| "; depth:19; http_header; pcre:"/^Accept\x3a \*\/\*\r\nHost\x3a \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080\r\nContent-Length\x3a \d{3}\r\nConnection\x3a Keep-Alive\r\nCache-Control\x3a no-cache\r\n$/H"; content:!"Referer"; http_header; content:!"User-Agent|3a| "; http_header; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:trojan-activity; sid:2017305; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2017306 -------- Hex Payload Start ---------- 3c 2f 73 63 72 69 70 74 3e 23 2f 30 66 32 34 39 30 23 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017307 -------- Hex Payload Start ---------- 3c 2f 73 63 72 69 70 74 3e 23 2f 30 66 32 34 39 30 23 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/DirCrypt.Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3A| form-data|3B| name=|22|cmd|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|botid|22|"; http_client_body; fast_pattern:24,20; content:"Content-Disposition|3A| form-data|3B| name=|22|lid|22|"; http_client_body; reference:url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91; reference:url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393; reference:url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/; reference:url,johannesbader.ch/2015/03/the-dga-of-dircrypt; classtype:trojan-activity; sid:2017308; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017310 -------- Hex Payload Start ---------- 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a 2f 77 70 2d 6c 6f 67 69 6e 2e 70 68 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017311 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017312 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 05 70 70 69 64 6e 03 6e 65 74 00 00 10 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\d+?\.\d+?\sstarted content:"0.0 started"; |---------------------| Building Rule: 2017314 -------- Hex Payload Start ---------- 50 52 49 53 4d 20 76 20 30 2e 30 20 73 74 61 72 74 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017315 -------- Hex Payload Start ---------- 56 45 52 53 4f 4e 45 58 3a 20 4d 72 2e 42 6c 61 63 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2017317 -------- Hex Payload Start ---------- 70 74 79 2e 73 70 61 77 6e 28 22 2f 62 69 6e 2f 73 68 22 29 --------- Hex Payload End ----------- ^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip) content:"#."; |---------------------| Building Rule: 2017318 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 00 2e --------- Hex Payload End ----------- ^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}] content:"[AAA]"; |---------------------| Building Rule: 2017319 -------- Hex Payload Start ---------- 4e 49 43 4b 20 20 5b 41 41 41 5d --------- Hex Payload End ----------- ^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista) content:""; |---------------------| Building Rule: 2017321 -------- Hex Payload Start ---------- 4e 49 43 4b 20 20 20 2e --------- Hex Payload End ----------- ^[^\r\n]*win content:"win"; |---------------------| Building Rule: 2017322 -------- Hex Payload Start ---------- 4e 49 43 4b 20 20 77 69 6e --------- Hex Payload End ----------- ^[^\r\n]*-PC content:"-PC"; |---------------------| Building Rule: 2017323 -------- Hex Payload Start ---------- 4e 49 43 4b 20 20 2d 50 43 --------- Hex Payload End ----------- (?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d) Parser failed - skipping rule |---------------------| Building Rule: 2017325 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 35 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017326 -------- Hex Payload Start ---------- 47 45 54 20 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 35 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017328 -------- Hex Payload Start ---------- 37 33 36 35 37 34 35 33 36 35 36 33 37 35 37 32 36 39 37 34 37 39 34 64 36 31 36 65 36 31 36 37 36 35 37 32 32 38 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017329 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017330 -------- Hex Payload Start ---------- 53 45 4c 45 43 54 73 79 73 6f 62 6a 65 63 74 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017333 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017334 -------- Hex Payload Start ---------- 3d 28 65 76 61 6c 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2017335 -------- Hex Payload Start ---------- 3d 5b 22 65 76 61 6c 22 5d 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2017336 -------- Hex Payload Start ---------- 3d 5b 27 65 76 61 6c 27 5d 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2017337 -------- Hex Payload Start ---------- 53 45 4c 45 43 54 69 6e 66 6f 72 6d 61 74 69 6f 6e 5f 73 63 68 65 6d 61 2e 63 6f 6c 75 6d 6e 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017340 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017341 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 65 73 63 72 69 70 74 69 6f 6e 3a 20 46 69 6c 65 20 54 72 61 6e 73 66 65 72 20 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 66 6f 6e 74 2e 65 6f 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Spy.KeyLogger.OCI CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"pcname="; http_client_body; depth:7; content:"&note="; http_client_body; distance:0; content:"&country="; http_client_body; distance:0; content:"&user="; http_client_body; distance:0; content:"&log="; http_client_body; distance:0; reference:url,www.virusradar.com/en/Win32_Spy.KeyLogger.OCI/description; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis/; classtype:trojan-activity; sid:2017343; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017344 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[a-f0-9]{4} content:"aaaa"; |---------------------| Building Rule: 2017345 -------- Hex Payload Start ---------- 5c 75 39 30 39 30 5c 20 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017350 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 b0 f6 8f d3 1c 2b 0e 50 7e 16 85 de 0c ae 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017351 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 35 d1 50 14 94 b2 24 ac 9b 00 2e f1 99 a0 82 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017352 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017353 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 d4 77 eb ff b6 94 cc d1 25 b6 30 12 23 d7 2e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017354 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017355 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ef 80 7b ec 93 e6 92 06 17 12 27 be e3 e2 e1 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017356 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 6e d3 08 a6 26 34 c7 bf c6 d3 d9 df 04 25 97 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017357 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 b4 7d 56 44 f3 23 e2 a2 1d 74 18 b6 bc 72 66 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017358 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4e c3 69 55 10 ad 3f 34 31 cc d1 73 30 ae 16 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017359 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017360 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ed d2 c6 f2 b9 ca 1e df 5c ba b7 0c 59 8e 9c 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017362 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 32 38 2e 30 2e 31 35 30 30 2e 37 31 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 48 6f 73 74 20 2e 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017363 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 49 4e 65 74 53 69 6d 20 48 54 54 50 20 53 65 72 76 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017364 Error here within! -------- Hex Payload Start ---------- 20 26 20 31 35 29 20 3c 3c 20 34 29 20 28 22 20 2e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 22 20 5a 20 7a 20 5a 20 39 20 7a 20 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017365 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 69 65 78 70 6c 6f 72 65 20 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^[^\r\n]+?\$$ content:"#$"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Win32/Napolar.A URL Response"; flow:from_server,established; content:"200"; http_stat_code; content:"|0d 0a 0d 0a|http|3a|//"; content:"#$"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:3;) Parser failed - skipping rule ^\/search\?query=[A-Z0-9]{8}&sort=relevance$ uricontent:"/search?query=AAAAAAAA&sort=relevance"; |---------------------| Building Rule: 2017368 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 48 6f 73 74 3a 20 67 72 6f 75 70 73 2e 79 61 68 6f 6f 2e 63 6f 6d 0d 0a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017369 -------- Hex Payload Start ---------- 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017370 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017372 -------- Hex Payload Start ---------- 41 75 73 74 72 61 6c 69 61 6e 20 48 6f 6c 69 64 61 79 22 20 3c 61 70 70 6c 65 74 --------- Hex Payload End ----------- ^[a-f0-9]{6}\*\/ content:"aaaaaa*/"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; content:"/*/"; fast_pattern; content:"aaaaaa*/"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:7;) Parser failed - skipping rule ^[a-f0-9]{6}# content:"aaaaaa#"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic PHP Format"; flow:from_server,established; content:"echo "; fast_pattern; content:"#/"; distance:0; content:"aaaaaa#"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:7;) Parser failed - skipping rule ^[a-f0-9]{6}\-\-\> content:"aaaaaa-->"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic HTML Format"; flow:from_server,established; content:""; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:7;) Parser failed - skipping rule \/[a-z]{2,3}\/(?:\d{3,4}x\d{3,4}|default)\.bmp\.gz$ uricontent:"/aa/.bmp.gz"; |---------------------| Building Rule: 2017377 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017378 -------- Hex Payload Start ---------- 0d 0a 0d 0a 51 67 77 4b 48 30 38 44 48 68 34 62 56 55 52 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017379 -------- Hex Payload Start ---------- 0d 0a 0d 0a 51 67 63 41 42 51 68 4c 41 68 34 66 48 31 46 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017380 -------- Hex Payload Start ---------- 0d 0a 0d 0a 51 68 67 43 43 68 30 66 53 67 49 66 47 78 74 56 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017381 -------- Hex Payload Start ---------- 0d 0a 0d 0a 51 68 73 41 47 42 74 61 53 67 49 66 47 78 74 56 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017382 -------- Hex Payload Start ---------- 0d 0a 0d 0a 51 68 73 41 47 42 74 5a 53 67 49 66 47 78 74 56 --------- Hex Payload End ----------- ^[A-Za-z0-9\/\+]+={0,2}$ content:"A"; |---------------------| Building Rule: 2017383 -------- Hex Payload Start ---------- 0d 0a 0d 0a 51 67 6b 57 48 77 70 4c 20 41 --------- Hex Payload End ----------- ^[A-Za-z0-9\/\+]+={0,2}$ content:"A"; |---------------------| Building Rule: 2017384 -------- Hex Payload Start ---------- 0d 0a 0d 0a 51 67 49 4d 42 68 39 4c 20 41 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr Checkin 1"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/is-ready"; http_uri; fast_pattern:only; nocase; reference:md5,d2e799904582f03281060689f5447585; classtype:trojan-activity; sid:2017516; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2017517 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported =[A-Za-z0-9\/\+]+={0,2}$ uricontent:"=A"; |---------------------| Building Rule: 2017386 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z] content:"NICK {aa-0x86a}a"; |---------------------| Building Rule: 2017395 -------- Hex Payload Start ---------- 4e 49 43 4b 20 7b 20 78 38 36 7d 20 4e 49 43 4b 20 7b 61 61 2d 30 78 38 36 61 7d 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017387 -------- Hex Payload Start ---------- 62 61 73 65 5f 64 65 63 6f 64 65 28 20 64 65 63 6f 64 65 48 65 78 28 20 3c 61 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017388 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; content:"code="; http_client_body; depth:5; content:"&submit="; distance:0; http_client_body; classtype:trojan-activity; sid:2017389; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2017390 -------- Hex Payload Start ---------- 64 6f 63 75 6d 65 6e 74 2e 6d 79 66 6f 72 6d 2e 74 78 74 70 61 74 68 2e 76 61 6c 75 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017391 -------- Hex Payload Start ---------- 3c 49 4e 50 55 54 20 74 79 70 65 3d 70 61 73 73 77 6f 72 64 20 6e 61 6d 65 3d 63 6f 64 65 20 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure"; flow:established,to_server; content:"POST"; http_method; nocase; content:"txtpath="; http_client_body; depth:8; content:"&cmd="; http_client_body; classtype:trojan-activity; sid:2017392; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; content:"POST"; http_method; nocase; content:"?upload=@&txtpath="; http_uri; content:"Upload !"; http_client_body; classtype:trojan-activity; sid:2017393; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017394 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 41 53 50 59 44 72 76 73 49 6e 66 6f 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^[\r\n\s]*?\x28[\r\n\s]*?base64_decode content:"(base64_decode"; |---------------------| Building Rule: 2017399 -------- Hex Payload Start ---------- 62 61 73 65 36 34 5f 64 65 63 6f 64 65 20 65 76 61 6c 20 28 62 61 73 65 36 34 5f 64 65 63 6f 64 65 --------- Hex Payload End ----------- ^[\r\n\s]*?\x28[\r\n\s]*?gzinflate content:"(gzinflate"; |---------------------| Building Rule: 2017400 -------- Hex Payload Start ---------- 67 7a 69 6e 66 6c 61 74 65 20 65 76 61 6c 20 28 67 7a 69 6e 66 6c 61 74 65 --------- Hex Payload End ----------- ^[\r\n\s]*?\x28[\r\n\s]*?str_rot13 content:"(str_rot13"; |---------------------| Building Rule: 2017401 -------- Hex Payload Start ---------- 73 74 72 5f 72 6f 74 31 33 20 65 76 61 6c 20 28 73 74 72 5f 72 6f 74 31 33 --------- Hex Payload End ----------- ^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress content:"(gzuncompress"; |---------------------| Building Rule: 2017402 -------- Hex Payload Start ---------- 67 7a 75 6e 63 6f 6d 70 72 65 73 73 20 65 76 61 6c 20 28 67 7a 75 6e 63 6f 6d 70 72 65 73 73 --------- Hex Payload End ----------- ^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode content:"(convert_uudecode"; |---------------------| Building Rule: 2017403 -------- Hex Payload Start ---------- 63 6f 6e 76 65 72 74 5f 75 75 64 65 63 6f 64 65 20 65 76 61 6c 20 28 63 6f 6e 76 65 72 74 5f 75 75 64 65 63 6f 64 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017404 -------- Hex Payload Start ---------- 6c 76 30 6e 6a 78 71 38 30 6e 6a 78 71 38 30 --------- Hex Payload End ----------- ^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:""<applet"; |---------------------| Building Rule: 2017405 -------- Hex Payload Start ---------- 76 61 72 20 70 70 31 30 30 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 20 22 3c 61 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017406 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017407 -------- Hex Payload Start ---------- 2e 67 65 74 56 65 72 73 69 6f 6e 20 22 50 47 46 77 63 47 78 6c 64 22 50 47 46 77 63 47 78 6c 64 --------- Hex Payload End ----------- ^[^A-Za-z0-9] content:"#"; |---------------------| Building Rule: 2017408 -------- Hex Payload Start ---------- 65 78 70 69 72 65 73 3d 22 2b 65 78 70 69 72 65 73 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 20 35 31 79 65 73 2e 63 6f 6d 2f 63 6c 69 63 6b 2e 61 73 70 78 3f 20 22 67 62 32 33 31 32 22 20 64 65 6c 65 74 65 20 20 65 76 61 6c 20 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017409 -------- Hex Payload Start ---------- 62 64 64 31 66 30 34 62 2d 38 35 38 62 2d 31 31 64 31 2d 62 31 36 61 2d 30 30 63 30 66 30 32 38 33 36 32 38 20 30 4d 38 52 34 4b 47 78 47 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017410 -------- Hex Payload Start ---------- 39 39 36 42 46 35 45 30 2d 38 30 34 34 2d 34 36 35 30 2d 41 44 45 42 2d 30 42 30 31 33 39 31 34 45 39 39 43 20 30 4d 38 52 34 4b 47 78 47 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017411 -------- Hex Payload Start ---------- 43 37 34 31 39 30 42 36 2d 38 35 38 39 2d 31 31 64 31 2d 42 31 36 41 2d 30 30 43 30 46 30 32 38 33 36 32 38 20 30 4d 38 52 34 4b 47 78 47 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017412 -------- Hex Payload Start ---------- 47 45 54 20 2e 67 69 66 3f 70 69 64 20 26 76 3d 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 28 --------- Hex Payload End ----------- ^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3} content:"0.0.0.0"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; content:"0.0.0.0"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017413; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2017416 -------- Hex Payload Start ---------- 2e 70 64 66 20 0d 0a 0d 0a 25 50 44 46 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017418 -------- Hex Payload Start ---------- 50 5b 65 6e 64 6f 66 5d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Checkin"; flow:to_server,established; content:"lv"; depth:2; content:"[endof]"; isdataat:!2,relative; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017419; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017420 -------- Hex Payload Start ---------- 46 4d 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017421 -------- Hex Payload Start ---------- 72 6e 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017422 -------- Hex Payload Start ---------- 73 63 7e 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017423 -------- Hex Payload Start ---------- 73 63 50 4b 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017424 -------- Hex Payload Start ---------- 43 41 4d 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017425 -------- Hex Payload Start ---------- 55 53 42 20 56 69 64 65 6f 20 44 65 76 69 63 65 5b 65 6e 64 6f 66 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017426 -------- Hex Payload Start ---------- 72 73 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017427 -------- Hex Payload Start ---------- 70 72 6f 63 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017428 -------- Hex Payload Start ---------- 6b 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017429 -------- Hex Payload Start ---------- 52 47 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017430 -------- Hex Payload Start ---------- 6b 6c 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017431 -------- Hex Payload Start ---------- 72 65 74 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017432 -------- Hex Payload Start ---------- 70 6c 7c 27 7c 27 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"("0<applet"; |---------------------| Building Rule: 2017433 -------- Hex Payload Start ---------- 2f 64 65 70 6c 6f 79 4a 61 76 61 2e 6a 73 20 2e 20 20 52 65 67 45 78 70 20 28 22 30 3c 61 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017434 -------- Hex Payload Start ---------- 44 6f 43 61 6b 65 28 29 20 61 70 70 6c 65 74 20 2e 70 68 70 3f 65 3d 2e 70 68 70 3f 65 3d --------- Hex Payload End ----------- \.php\?e=\d+(&|$) uricontent:".php?e=0&"; |---------------------| Building Rule: 2017435 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- [&\?]_SERVER\[[^\]]+?\][^=]*?= uricontent:"&_SERVER[#]="; |---------------------| Building Rule: 2017436 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [&\?]_GET\[[^\]]+?\][^=]*?= uricontent:"&_GET[#]="; |---------------------| Building Rule: 2017437 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [&\?]_POST\[[^\]]+?\][^=]*?= uricontent:"&_POST[#]="; |---------------------| Building Rule: 2017438 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [&\?]_COOKIE\[[^\]]+?\][^=]*?= uricontent:"&_COOKIE[#]="; |---------------------| Building Rule: 2017439 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [&\?]_SESSION\[[^\]]+?\][^=]*?= uricontent:"&_SESSION[#]="; |---------------------| Building Rule: 2017440 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [&\?]_REQUEST\[[^\]]+?\][^=]*?= uricontent:"&_REQUEST[#]="; |---------------------| Building Rule: 2017441 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [&\?]_ENV\[[^\]]+?\][^=]*?= uricontent:"&_ENV[#]="; |---------------------| Building Rule: 2017442 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q) NOT IMPL Groupref content:""Java"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; content:""Java"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:4;) Parser failed - skipping rule ^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e) NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:""aa#aaaaaaaa#aa#aa"; |---------------------| Building Rule: 2017451 -------- Hex Payload Start ---------- 22 30 78 22 3b 3d 20 22 61 61 00 61 61 61 61 61 61 61 61 00 61 61 00 61 61 --------- Hex Payload End ----------- ^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$ uricontent:"/aaaaaaa.js?aaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2017453 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){10}& NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?#=&#=&"; |---------------------| Building Rule: 2017454 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017455 -------- Hex Payload Start ---------- 50 4f 53 54 20 52 65 66 65 72 65 72 3a 20 4d 6f 7a 69 6c 6c 61 0d 0a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 20 58 2d 52 65 71 75 65 73 74 2d 4b 69 6e 64 2d 43 6f 64 65 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018341 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 65 72 20 --------- Hex Payload End ----------- \.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?& NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?#=#=#&#=&"; |---------------------| Building Rule: 2017456 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017461 -------- Hex Payload Start ---------- 20 26 20 31 35 29 20 3c 3c 20 34 29 20 20 26 20 33 29 20 3c 3c 20 28 33 2b 33 29 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017462 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017464 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017465 -------- Hex Payload Start ---------- 50 4f 53 54 20 2e 20 2e 20 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:2;) Parser failed - skipping rule \/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"//aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2017467 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017468 -------- Hex Payload Start ---------- 4a 54 4e 44 4a 54 4e 47 65 47 31 73 4a 54 49 77 64 6d 56 79 63 32 6c 76 62 69 55 7a 52 43 55 79 20 2f 6d 69 63 72 6f 73 6f 66 74 2e 6a 6e 6c 70 --------- Hex Payload End ----------- \/cod\/[^\x2f]+\.vbs$ uricontent:"/cod/#.vbs"; |---------------------| Building Rule: 2017469 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017470 -------- Hex Payload Start ---------- 42 44 62 47 56 68 63 6b 6c 75 64 47 56 79 62 6d 56 30 51 32 46 6a 61 47 55 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017471 -------- Hex Payload Start ---------- 49 45 4e 73 5a 57 46 79 53 57 35 30 5a 58 4a 75 5a 58 52 44 59 57 4e 6f 5a 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017472 -------- Hex Payload Start ---------- 51 32 78 6c 59 58 4a 4a 62 6e 52 6c 63 6d 35 6c 64 45 4e 68 59 32 68 6c 4b --------- Hex Payload End ----------- =\d+&e=\d+$ uricontent:"=0&e=0"; |---------------------| Building Rule: 2017473 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 20 6d --------- Hex Payload End ----------- \/cp\/\?(?:logo\.jpg|adm) uricontent:"/cp/?"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Dipverdle.A Activity"; flow:to_server,established; content:"POST"; http_method; content:"/cp/?"; http_uri; nocase; fast_pattern:only; uricontent:"/cp/?"; content:!"Referer|3a|"; http_header; content:"token="; nocase; http_client_body; depth:6; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017476 -------- Hex Payload Start ---------- 2e 63 6c 61 73 73 50 4b 20 2e 6d 70 34 50 4b --------- Hex Payload End ----------- ^(?:Text|HTML) content:""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; content:"outer"; nocase; content:""; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:5;) Parser failed - skipping rule ^(?:Text|Html) content:""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; content:"outer"; nocase; content:""; content:"onlosecapture"; nocase; fast_pattern:only; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:6;) Parser failed - skipping rule ^(?:Text|HTML) content:""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; content:""; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2017477 -------- Hex Payload Start ---------- 6d 73 2d 68 65 6c 70 3a 2f 2f 20 6f 6e 6c 6f 73 65 63 61 70 74 75 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017481 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017482 -------- Hex Payload Start ---------- 3c 62 6f 64 79 20 6f 6e 4c 6f 61 64 3d 20 52 65 64 69 72 65 63 74 2e 2e 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017483 -------- Hex Payload Start ---------- 20 44 72 6f 70 50 61 79 6c 6f 61 64 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017484 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 53 75 63 6b 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017485 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 61 6c 69 67 6e 5f 65 73 70 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017486 -------- Hex Payload Start ---------- 43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65 20 65 76 61 6c 28 27 75 6e 65 73 63 61 70 65 27 29 20 27 25 75 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017488 -------- Hex Payload Start ---------- 28 22 6d 73 2d 68 65 6c 70 3a 2f 2f 22 29 3b 28 22 6d 73 2d 68 65 6c 70 3a 2f 2f 22 29 3b 20 28 22 6d 73 2d 68 65 6c 70 3a 22 29 3b 28 22 6d 73 2d 68 65 6c 70 3a 22 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2017489 -------- Hex Payload Start ---------- 20 2e 20 2e --------- Hex Payload End ----------- ^\/updater\/[a-f0-9]{32}\/[0-9]$ uricontent:"/updater/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/0"; |---------------------| Building Rule: 2017490 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017494 -------- Hex Payload Start ---------- 63 48 4a 6c 62 47 39 68 5a 47 56 79 4c 57 4e 73 59 58 4e 7a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017495 -------- Hex Payload Start ---------- 77 63 6d 56 73 62 32 46 6b 5a 58 49 74 59 32 78 68 63 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017496 -------- Hex Payload Start ---------- 42 79 5a 57 78 76 59 57 52 6c 63 69 31 6a 62 47 46 7a 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017497 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017498 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 68 65 61 70 20 73 70 72 61 79 --------- Hex Payload End ----------- ^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20} NOT IMPL not _simple(av) in REPEATING CODES content:"aaaa"; |---------------------| Building Rule: 2017499 -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 20 22 25 75 20 2e 20 61 61 61 61 --------- Hex Payload End ----------- ^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20} NOT IMPL not _simple(av) in REPEATING CODES content:"aaaa"; |---------------------| Building Rule: 2017500 -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 20 27 25 75 20 2e 20 61 61 61 61 --------- Hex Payload End ----------- ^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20} NOT IMPL not _simple(av) in REPEATING CODES content:"aaaa"; |---------------------| Building Rule: 2017501 -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 20 22 5f 75 20 61 61 61 61 --------- Hex Payload End ----------- ^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20} NOT IMPL not _simple(av) in REPEATING CODES content:"aaaa"; |---------------------| Building Rule: 2017502 -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 20 27 5f 75 20 2e 20 61 61 61 61 --------- Hex Payload End ----------- ^[^a-z0-9] content:"#"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Used in various watering hole attacks"; flow:established,from_server; content:"ConVertData"; content:"#"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:trojan-activity; sid:2017503; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2017504 -------- Hex Payload Start ---------- 2e 63 6f 6d 2e 65 78 65 20 0d 0a 0d 0a 4d 5a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017505 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 47 68 30 73 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017506 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 4d 61 69 6e 2d 43 6c 61 73 73 3a 20 61 74 6f 6d 69 63 2e 41 74 6f 6d 69 63 --------- Hex Payload End ----------- \/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$ uricontent:"/.php?message=A"; |---------------------| Building Rule: 2017507 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017511 -------- Hex Payload Start ---------- 50 4f 53 54 20 41 67 74 69 64 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017509 -------- Hex Payload Start ---------- 3c 6a 66 78 3a 20 70 72 65 6c 6f 61 64 65 72 2d 63 6c 61 73 73 20 3c 6a 6e 6c 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017510 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 70 75 74 50 61 79 6c 6f 61 64 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017512 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017513 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017515 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 79 74 68 6f 6e 2d 72 65 71 75 65 73 74 73 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017518 -------- Hex Payload Start ---------- 50 4f 53 54 20 2f 69 61 6d 2d 72 65 61 64 79 20 3c 7c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017519 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3c 7c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017520 -------- Hex Payload Start ---------- 50 4f 53 54 20 2f 69 73 2d 65 6e 75 6d 2d 66 61 20 3c 7c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017521 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3c 7c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017522 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3c 7c 3e --------- Hex Payload End ----------- ^[A-Z]\x3a\x5f content:"A:_"; |---------------------| Building Rule: 2017523 -------- Hex Payload Start ---------- 0d 0a 73 65 6e 64 3c 7c 3e 20 41 3a 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017526 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 76 62 65 20 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\d+\w+\/\d+\w+ free \(\d+% used\) content:"0A/0A free (0% used)"; |---------------------| Building Rule: 2017525 Error here within! -------- Hex Payload Start ---------- 00 00 20 20 00 00 00 01 20 52 41 4d 0a 7c 20 30 41 2f 30 41 20 66 72 65 65 20 28 30 25 20 75 73 65 64 29 --------- Hex Payload End ----------- ^.{8}[\x20-\x7e]+?\x7b\x9e content:"00000000 {"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern:only; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; content:"00000000 {"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:trojan-activity; sid:2017548; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2017528 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 6f 72 64 70 72 65 73 73 2f --------- Hex Payload End ----------- \.php\?dwl=[a-z]+$ uricontent:".php?dwl=a"; |---------------------| Building Rule: 2017529 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017530 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017531 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017532 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017534 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017535 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017536 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017537 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017538 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017539 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017540 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017541 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017542 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017543 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017544 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 20 3a 20 2e 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017545 -------- Hex Payload Start ---------- 4e 65 77 20 5a 65 61 6c 61 6e 64 6e 20 48 6f 6c 69 64 61 79 20 3c 61 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017546 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 72 6f 74 6f 74 79 70 65 42 0d 0a 20 20 20 2e --------- Hex Payload End ----------- \/index\.html\?p=\d+$ uricontent:"/index.html?p=0"; |---------------------| Building Rule: 2017547 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- \/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$ uricontent:"/index.php?a=AAA"; |---------------------| Building Rule: 2017552 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017549 -------- Hex Payload Start ---------- 4d 69 63 72 6f 73 6f 66 74 20 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 61 70 70 6c 65 74 5f 73 73 76 5f 76 61 6c 69 64 61 74 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017550 -------- Hex Payload Start ---------- 6a 61 76 61 33 28 29 3b 20 6a 61 76 61 32 28 29 3b 20 70 64 66 28 29 3b 20 69 65 28 29 3b --------- Hex Payload End ----------- ^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"="h00ttp:"; |---------------------| Building Rule: 2017551 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 76 61 6c 75 65 20 3d 22 68 30 30 74 74 70 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017553 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}& NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?#=&#=&"; |---------------------| Building Rule: 2017554 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- \/[A-F0-9]{8}\.js\?cp= uricontent:"/AAAAAAAA.js?cp="; |---------------------| Building Rule: 2017555 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017557 -------- Hex Payload Start ---------- 4d 45 54 41 2d 49 4e 46 2f 73 65 72 76 69 63 65 73 2f 6a 61 76 61 2e 73 71 6c 2e 44 72 69 76 65 72 73 20 4d 45 54 41 2d 49 4e 46 2f 73 65 72 76 69 63 65 73 2f 6a 61 76 61 2e 6c 61 6e 67 2e 4f 62 6a 65 63 74 --------- Hex Payload End ----------- \.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?& NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?#=##########&#=#&#=####################&"; |---------------------| Building Rule: 2017556 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017558 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017559 -------- Hex Payload Start ---------- 53 53 48 2d 32 2e 30 2d 50 75 54 54 59 5f 4c 6f 63 61 6c 3a 5f 46 65 62 5f 5f 35 5f 32 30 31 33 5f 31 38 3a 32 36 3a 35 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017560 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017561 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 5f 49 6e 65 74 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017562 -------- Hex Payload Start ---------- 45 6d 62 61 73 73 79 20 20 54 6f 6b 79 6f 2c 20 4a 61 70 61 6e 20 3c 61 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017563 -------- Hex Payload Start ---------- 24 4d 79 43 6f 6c 6f 72 4d 6f 64 65 6c 2e 63 6c 61 73 73 20 24 4d 79 43 6f 6c 6f 72 53 70 61 63 65 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017564 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 6e 61 6d 65 3d 22 6b 75 72 62 61 6e 22 20 2e 65 78 65 --------- Hex Payload End ----------- ^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$ uricontent:"/a0a/?0"; |---------------------| Building Rule: 2017567 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK NOT IMPL Groupref NOT IMPL Groupref content:"aaaaaaa.classPK0$aaaaaaaaaaaa.classPK0$aaaaaaaaaaaa.classPK"; |---------------------| Building Rule: 2017568 Error here within! Error here within! -------- Hex Payload Start ---------- 2e 63 6c 61 73 73 50 4b 20 24 2e 63 6c 61 73 73 50 4b 20 24 20 61 61 61 61 61 61 61 2e 63 6c 61 73 73 50 4b 30 24 61 61 61 61 61 61 61 61 61 61 61 61 2e 63 6c 61 73 73 50 4b 30 24 61 61 61 61 61 61 61 61 61 61 61 61 2e 63 6c 61 73 73 50 4b --------- Hex Payload End ----------- ^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true NOT IMPL Groupref NOT IMPL Groupref Parser failed - skipping rule ^\/1[a-z0-9]{13}$ uricontent:"/1aaaaaaaaaaaaa"; |---------------------| Building Rule: 2017571 Error here depth! -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- ^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22] content:"'Unselect'"; |---------------------| Building Rule: 2017572 -------- Hex Payload Start ---------- 6f 6e 70 72 6f 70 65 72 74 79 63 68 61 6e 67 65 20 2e 65 78 65 63 43 6f 6d 6d 61 6e 64 28 20 27 55 6e 73 65 6c 65 63 74 27 20 61 70 70 65 6e 64 43 68 69 6c 64 28 20 74 65 78 74 61 72 65 61 20 2e 73 65 6c 65 63 74 28 20 2e 6f 6e 73 65 6c 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017573 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 69 6e 76 6f 63 61 74 69 6f 6e 2e 4d 61 72 73 68 61 6c 6c 65 64 49 6e 76 6f 63 61 74 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017574 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 69 6e 76 6f 63 61 74 69 6f 6e 2e 4d 61 72 73 68 61 6c 6c 65 64 49 6e 76 6f 63 61 74 69 6f 6e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; content:"POST"; http_method; content:"/upgrade.php"; http_uri; nocase; fast_pattern:only; content:"Origin|3a|"; http_header; content:"&customerid="; nocase; http_client_body; content:"&htmlsubmit="; http_client_body; content:"username"; nocase; http_client_body; content:"confirmpassword"; http_client_body; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017576 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017577 -------- Hex Payload Start ---------- 27 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 76 6d 6c 27 20 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 3b 20 72 65 74 75 72 6e 20 70 61 72 73 65 49 6e 74 20 72 65 74 75 72 6e 20 27 27 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017578 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017579 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017580 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017584 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017582 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 3a --------- Hex Payload End ----------- \/crypt_[^\/]*?sell[^\/]*?\d\.exe$ uricontent:"/crypt_sell0.exe"; |---------------------| Building Rule: 2017583 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/tools\.ini$ uricontent:"/tools.ini"; |---------------------| Building Rule: 2017585 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/officeaddinupdate\.xml$ uricontent:"/officeaddinupdate.xml"; |---------------------| Building Rule: 2017586 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017587 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017588 -------- Hex Payload Start ---------- 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 70 61 63 68 65 2d 48 74 74 70 43 6c 69 65 6e 74 2f 20 2e --------- Hex Payload End ----------- ^\/ep\/cl\.php$ uricontent:"/ep/cl.php"; |---------------------| Building Rule: 2017589 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^[\r\n\s]*?[\x22\x27]Java[\x22\x27] content:""Java""; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; content:""Java""; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2017591; rev:2;) Parser failed - skipping rule ^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$ content:"Host: 0.0.0.0 "; |---------------------| Building Rule: 2017592 -------- Hex Payload Start ---------- 2e 70 68 70 3f 74 6e 7a 70 70 6c 3d 26 65 6e 64 6f 76 65 6e 61 66 73 6c 3d 20 48 6f 73 74 3a 20 30 2e 30 2e 30 2e 30 0d --------- Hex Payload End ----------- ^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$ uricontent:"/oaaaa?haaaa=000000"; |---------------------| Building Rule: 2017593 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- \/b[a-z]+?\?n[a-z]+?=[a-z]+$ uricontent:"/ba?na=a"; |---------------------| Building Rule: 2017594 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- \/v[a-z]+?\?n[a-z]+?=[a-z]+$ uricontent:"/va?na=a"; |---------------------| Building Rule: 2017595 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017596 -------- Hex Payload Start ---------- 0d 0a 0d 0a 4d 25 30 31 25 30 36 25 30 30 25 31 38 25 30 32 25 31 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017597 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5f 25 31 31 25 31 31 25 31 36 25 30 41 25 31 32 25 30 36 --------- Hex Payload End ----------- ^(?:\/[a-z]+\d*?)?\/\d?\w+\d*?\.exe$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/A.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Kelihos.F EXE Download Common Structure"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; uricontent:"/A.exe"; pcre:"/^Host\x3A\x20[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x0D\x0A\x0D?\x0A?$/H"; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,f5bcc28e7868a68e473373d684a8c54a; classtype:trojan-activity; sid:2017598; rev:9;) Parser failed - skipping rule &a2=((?:[a-f0-9]{32})|(?:[A-Za-z0-9\x2b\x2f]{4})*(?:[A-Za-z0-9\x2b\x2f]{2}==|[A-Za-z0-9\x2b\x2f]{3}=|[A-Za-z0-9\x2b\x2f]{4}))(?:&|$) uricontent:"&a2="; |---------------------| Building Rule: 2017599 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- &arg2=((?:[a-f0-9]{32})|(?:[A-Za-z0-9\x2b\x2f]{4})*(?:[A-Za-z0-9\x2b\x2f]{2}==|[A-Za-z0-9\x2b\x2f]{3}=|[A-Za-z0-9\x2b\x2f]{4}))(?:&|$) uricontent:"&arg2="; |---------------------| Building Rule: 2017600 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/1[34]\d{8}\.tpl$ uricontent:"/1300000000.tpl"; |---------------------| Building Rule: 2017601 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?\/(?:[\/_]*?[a-f0-9][\/_]*?){64}[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES content:"="/""; |---------------------| Building Rule: 2017602 -------- Hex Payload Start ---------- 61 70 70 6c 65 74 61 72 63 68 69 76 65 20 3d 22 2f 22 --------- Hex Payload End ----------- ^\/(?:[\/_]*?[a-f0-9][\/_]*?){64}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; |---------------------| Building Rule: 2017603 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- ^\/[a-f0-9]{32}\/[a-f0-9]{32}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; content:"Referer|3a| http|3a|//"; pcre:"/^[^\/\r\n]+/R"; content:"/?"; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/R"; content:" MSIE "; http_header; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017613; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2017604 -------- Hex Payload Start ---------- 0d 0a 0d 0a 47 49 46 38 39 3c 3f 70 68 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017605 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 4a 46 49 46 00 3c 3f 70 68 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017606 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 50 4e 47 0d 0a 1a 0a 3c 3f 70 68 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017607 -------- Hex Payload Start ---------- 0d 0a 0d 0a 47 49 46 38 39 3c 3f 70 68 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017608 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 4a 46 49 46 00 3c 3f 70 68 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017609 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 50 4e 47 0d 0a 1a 0a 3c 3f 70 68 70 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt"; flow:established,to_server; content:"/WEB-INF/web.xml"; nocase; http_uri; fast_pattern:only; content:"|2e 2e 2f|"; http_raw_uri; reference:url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html; reference:cve,2013-3815; classtype:web-application-attack; sid:2017611; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017615 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 61 73 73 63 61 6e 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017616 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 61 73 73 63 61 6e 2f --------- Hex Payload End ----------- \x2Fjs\x2F[\r\n]*\x2Eexe$ uricontent:"/js/.exe"; |---------------------| Building Rule: 2017617 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 72 76 3a 32 32 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 32 32 2e 30 0d 0a --------- Hex Payload End ----------- \/[A-F0-9]+$ uricontent:"/A"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kuluoz Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"name=|22|key|22|"; http_client_body; nocase; content:"filename=|22|key.bin|22|"; http_client_body; nocase; content:"name=|22|data|22|"; http_client_body; nocase; content:"filename=|22|data.bin|22|"; http_client_body; nocase; uricontent:"/A"; reference:md5,c71416a9ec5414fe487167b5bfd921ec; classtype:trojan-activity; sid:2017620; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2017621 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017622 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017623 -------- Hex Payload Start ---------- 77 33 30 32 72 5f 6d 66 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017624 -------- Hex Payload Start ---------- 72 6c 69 6e 6b 5f 6d 66 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017625 -------- Hex Payload Start ---------- 3c 21 2d 2d 38 31 61 33 33 38 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017626 -------- Hex Payload Start ---------- 3c 21 2d 2d 38 31 61 33 33 38 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017627 -------- Hex Payload Start ---------- 51 58 4e 6b 61 --------- Hex Payload End ----------- ^\/[a-z]+([_-][a-z]+)*\.[a-z]{1,3}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/a.a"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_header; fast_pattern:only; content:".pl|3a|"; http_header; uricontent:"/a.a"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:3;) Parser failed - skipping rule \.php\?cashe=\d+$ uricontent:".php?cashe=0"; |---------------------| Building Rule: 2017629 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017630 -------- Hex Payload Start ---------- 0d 0a 0d 0a 7c 68 a3 34 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017631 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017632 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[\r\n\s]*?\x3a[\r\n\s]*?none content:":none"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; content:"domestic transit area.<br>"; fast_pattern:6,20; content:"display"; nocase; content:":none"; content:"<li"; nocase; pcre:"/^[^>]*?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017634; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2017635 -------- Hex Payload Start ---------- 66 72 6f 6d 43 68 61 72 43 6f 64 65 20 2b 30 2b 30 2b 33 2d 31 2d 31 20 73 75 62 73 74 72 20 28 33 2d 31 29 --------- Hex Payload End ----------- \/1(?:3[89]\d{7}|4\d{8})\.pdf$ uricontent:"/1.pdf"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; content:"/1"; http_uri; uricontent:"/1.pdf"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017636; rev:11;) Parser failed - skipping rule |---------------------| Building Rule: 2017637 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 2d 61 72 63 68 69 76 65 20 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 50 48 50 2f 20 0d 0a 0d 0a 50 4b --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017638 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017640 -------- Hex Payload Start ---------- 65 76 61 6c 6d 63 72 79 70 74 5f 64 65 63 72 79 70 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell in POST"; flow:established,to_server; content:"POST"; http_method; content:"eval"; http_client_body; content:"mcrypt_decrypt"; http_client_body; distance:0; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017641; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017645 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 62 69 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017646 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 2e 31 2e 33 3b 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017647 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- ^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaaa.php?aaaa=0"; |---------------------| Building Rule: 2017648 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; content:"|0d 0a 0d 0a|"; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017649; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2017650 -------- Hex Payload Start ---------- 67 6f 32 50 61 67 65 28 27 2f 27 2b 50 6c 75 67 69 6e 44 65 74 65 63 74 2e 67 65 74 56 65 72 73 69 6f 6e 28 22 41 64 6f 62 65 52 65 61 64 65 72 22 29 2b 27 2e 70 64 66 27 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2018412 -------- Hex Payload Start ---------- 20 62 6f 74 3d --------- Hex Payload End ----------- ^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$ uricontent:"/aaaaa?aaaaa=000000"; |---------------------| Building Rule: 2017652 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- ^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$ uricontent:"/aaaaa?aaaaa=aaaaaa"; |---------------------| Building Rule: 2017653 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017655 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 6c 61 77 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017657 -------- Hex Payload Start ---------- 43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65 20 4d 61 74 68 2e 61 74 61 6e 32 4d 61 74 68 2e 61 74 61 6e 32 4d 61 74 68 2e 61 74 61 6e 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017660 -------- Hex Payload Start ---------- 0d 0a 43 6f 6f 6b 69 65 3a 20 61 73 67 33 32 35 77 65 32 33 34 3d 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017661 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017662 -------- Hex Payload Start ---------- 58 2d 53 69 6e 6b 68 6f 6c 65 64 2d 44 6f 6d 61 69 6e 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018112 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 6f 77 6e 6c 6f 61 64 65 72 20 4d 4c 52 20 31 2e 30 2e 30 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_header; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2017664 -------- Hex Payload Start ---------- 50 41 53 53 20 66 72 65 64 63 6f 74 31 32 33 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017665 -------- Hex Payload Start ---------- 4a 4f 49 4e 20 23 31 31 31 31 20 64 64 6f 73 69 74 --------- Hex Payload End ----------- ^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/f/1400000000"; |---------------------| Building Rule: 2017667 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017668 -------- Hex Payload Start ---------- 70 6c 75 67 69 6e 73 2f 41 64 77 69 6e 64 53 65 72 76 65 72 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017669 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 03 04 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017670 -------- Hex Payload Start ---------- 77 6f 72 64 2f 61 63 74 69 76 65 58 2f 61 63 74 69 76 65 58 34 30 2e 78 6d 6c 20 77 6f 72 64 2f 6d 65 64 69 61 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017671 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 79 57 65 62 43 6c 69 65 6e 74 --------- Hex Payload End ----------- \/msctcd\.exe$ uricontent:"/msctcd.exe"; |---------------------| Building Rule: 2017672 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/taskmgr\.exe$ uricontent:"/taskmgr.exe"; |---------------------| Building Rule: 2017673 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/wsqmocn\.exe$ uricontent:"/wsqmocn.exe"; |---------------------| Building Rule: 2017674 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/connhost\.exe$ uricontent:"/connhost.exe"; |---------------------| Building Rule: 2017675 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/lgfxsrvc\.exe$ uricontent:"/lgfxsrvc.exe"; |---------------------| Building Rule: 2017676 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/wimhost\.exe$ uricontent:"/wimhost.exe"; |---------------------| Building Rule: 2017677 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/winlog\.exe$ uricontent:"/winlog.exe"; |---------------------| Building Rule: 2017679 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/waulct\.exe$ uricontent:"/waulct.exe"; |---------------------| Building Rule: 2017680 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/alg\.exe$ uricontent:"/alg.exe"; |---------------------| Building Rule: 2017681 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/mssrs\.exe$ uricontent:"/mssrs.exe"; |---------------------| Building Rule: 2017682 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/winhosts\.exe$ uricontent:"/winhosts.exe"; |---------------------| Building Rule: 2017683 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/cgi/url_redirect.cgi"; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017688; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Schneebly Posting ScreenShot"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/viewimage.php?s="; http_uri; nocase; content:!"&"; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:"filename="; http_client_body; content:"JFIF"; distance:0; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017689; rev:2;) Parser failed - skipping rule rssfeed\.php\?a=[^&]+?&\d+$ uricontent:"rssfeed.php?a=#&0"; |---------------------| Building Rule: 2017690 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017691 -------- Hex Payload Start ---------- 20 20 20 20 20 3a --------- Hex Payload End ----------- (?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot) Parser failed - skipping rule ^\/\?[a-f0-9]{32}$ uricontent:"/?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2017694 -------- Hex Payload Start ---------- 20 20 4d 53 49 45 20 20 3a --------- Hex Payload End ----------- ^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n NOT IMPL Groupref content:"GET /0aaaaaaaaaaaaa HTTP/1.0 Referer: http://#/ "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\) content:"#]^0)"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude Landing Nov 11 2013"; flow:established,from_server; content:".fromCharCode("; nocase; content:"#]^0)"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:trojan-activity; sid:2017698; rev:3;) Parser failed - skipping rule ^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$ NOT IMPL Groupref NOT IMPL Groupref uricontent:"/0A000.pdf"; |---------------------| Building Rule: 2017699 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017701 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/[a-f0-9]+$ uricontent:"/a"; |---------------------| Building Rule: 2017702 -------- Hex Payload Start ---------- 50 4f 53 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 6c 79 6e 78 0d 0a 20 3a --------- Hex Payload End ----------- ^\/1[a-z0-9]{13}$ uricontent:"/1aaaaaaaaaaaaa"; |---------------------| Building Rule: 2017703 -------- Hex Payload Start ---------- 20 3a 20 2e 20 0d 0a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017704 -------- Hex Payload Start ---------- 31 39 39 31 36 45 30 31 2d 42 34 34 45 2d 34 45 33 31 2d 39 34 41 34 2d 34 36 39 36 44 46 34 36 31 35 37 42 20 2e 72 65 71 75 69 72 65 64 43 6c 61 69 6d 73 20 2e 72 65 6d 6f 76 65 28 20 2e 61 64 64 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017705 -------- Hex Payload Start ---------- 49 6e 66 6f 72 6d 61 74 69 6f 6e 43 61 72 64 53 69 67 6e 69 6e 48 65 6c 70 65 72 20 2e 72 65 71 75 69 72 65 64 43 6c 61 69 6d 73 20 2e 72 65 6d 6f 76 65 28 20 2e 61 64 64 28 --------- Hex Payload End ----------- ^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaaa.php?aaaa=0"; |---------------------| Building Rule: 2017706 -------- Hex Payload Start ---------- 20 3a 20 20 4d 53 49 45 20 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x79\x9e content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4"; flow:to_server,established; dsize:>11; content:"|79 9e|"; fast_pattern:only; content:" 00000000y"; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017707; rev:1;) Parser failed - skipping rule ^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20} NOT IMPL not _simple(av) in REPEATING CODES content:"aaaa"; |---------------------| Building Rule: 2017708 Error here within! Error here within! -------- Hex Payload Start ---------- 31 39 39 31 36 45 30 31 2d 42 34 34 45 2d 34 45 33 31 2d 39 34 41 34 2d 34 36 39 36 44 46 34 36 31 35 37 42 20 5c 75 20 20 20 20 5c 75 20 20 20 20 5c 75 20 61 61 61 61 --------- Hex Payload End ----------- ^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20} NOT IMPL not _simple(av) in REPEATING CODES content:"aaaa"; |---------------------| Building Rule: 2017709 Error here within! Error here within! -------- Hex Payload Start ---------- 31 39 39 31 36 45 30 31 2d 42 34 34 45 2d 34 45 33 31 2d 39 34 41 34 2d 34 36 39 36 44 46 34 36 31 35 37 42 20 25 75 20 20 20 20 25 75 20 20 20 20 25 75 20 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017710 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017711 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$ uricontent:"aa=aA"; |---------------------| Building Rule: 2017713 Error here depth! -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 2e 20 74 20 2e --------- Hex Payload End ----------- ^\/[A-F0-9]{24}$ uricontent:"/AAAAAAAAAAAAAAAAAAAAAAAA"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX Checkin"; flow:to_server,established; content:"POST"; http_method; uricontent:"/AAAAAAAAAAAAAAAAAAAAAAAA"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6;) Parser failed - skipping rule ^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\| content:"AAA|U|D|W7|x86|"; Parser failed - skipping rule \/monitor\.php\?resp=ID\x3a[A-Za-z]{15} uricontent:"/monitor.php?resp=ID:AAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2017717 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 53 45 4f 62 6f 74 29 0d 0a --------- Hex Payload End ----------- \/operator\/login\.php$ uricontent:"/operator/login.php"; |---------------------| Building Rule: 2017718 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 74 20 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 53 45 4f 62 6f 74 29 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,20; http_header; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,20; http_header; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:2;) Parser failed - skipping rule \/gate\.php\?cmd=(?:get(?:installconfig|exe)|urls)$ uricontent:"/gate.php?cmd="; |---------------------| Building Rule: 2017723 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017724 Protocol Not Supported |---------------------| Building Rule: 2017725 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017726 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 70 64 61 74 65 73 20 64 6f 77 6e 6c 6f 61 64 65 72 --------- Hex Payload End ----------- ^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}) NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2017727 -------- Hex Payload Start ---------- 3a 21 3b 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017728 -------- Hex Payload Start ---------- 39 30 30 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017729 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 73 6f 66 74 20 61 70 70 6c 65 2e 3c 2f 74 69 74 6c 65 3e 20 41 67 43 6f 6e 74 72 6f 6c 2e 41 67 43 6f 6e 74 72 6f 6c 20 4d 61 74 68 2e 66 6c 6f 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017730 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^\/1[a-z0-9]{13}\.[a-z]{3}$ uricontent:"/1aaaaaaaaaaaaa.aaa"; |---------------------| Building Rule: 2017731 -------- Hex Payload Start ---------- 20 3a 20 2e 20 0d 0a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017732 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 61 62 61 62 62 73 73 2e 64 6c 6c 20 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017734 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^[\r\n\s]*?\( content:"("; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; content:"makeid"; content:"("; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:trojan-activity; sid:2017735; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2017736 -------- Hex Payload Start ---------- 61 30 64 6d 62 6c 78 6d 4c 35 46 6d 63 79 46 6d 4c 6c 78 57 65 30 4e 48 61 7a 46 47 5a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017737 -------- Hex Payload Start ---------- 67 47 64 6e 35 57 5a 73 35 53 65 68 4a 6e 63 68 35 53 5a 73 6c 48 64 7a 68 32 63 68 52 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017738 -------- Hex Payload Start ---------- 6f 52 33 5a 75 56 47 62 75 6b 58 59 79 4a 58 59 75 55 47 62 35 52 33 63 6f 4e 58 59 6b --------- Hex Payload End ----------- ^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$ NOT IMPL Groupref uricontent:"/?A=#&=#"; |---------------------| Building Rule: 2017739 Error here depth! -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017740 Error here within! -------- Hex Payload Start ---------- 6f 62 6a 65 63 74 22 2e 73 75 62 73 74 72 69 6e 67 28 31 35 29 20 22 --------- Hex Payload End ----------- \.php\?(q|name)= uricontent:".php?q="; |---------------------| Building Rule: 2017741 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$ NOT IMPL Groupref uricontent:"/?A=#&=A"; |---------------------| Building Rule: 2017743 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 20 4d 53 49 45 20 20 3a 20 0d 0a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017744 -------- Hex Payload Start ---------- 43 6f 6f 6b 69 65 3a 20 66 47 47 68 54 61 73 64 61 73 3d 68 74 74 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017745 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Downloader Win32.Genome.AV"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/other.txt"; fast_pattern; http_uri; content:"User-Agent|3a 20|NSIS_Inetc|20|(Mozilla)"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; flowbits:set,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:3;) Parser failed - skipping rule ^\d+?\x5d content:"0]"; |---------------------| Building Rule: 2017747 -------- Hex Payload Start ---------- 5b 53 6f 66 74 20 30 5d 53 6f 66 74 54 69 74 6c 65 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017748 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b --------- Hex Payload End ----------- |---------------------| Building Rule: 2017749 -------- Hex Payload Start ---------- 0d 0a 0d 0a ca fe ba be --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017750; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017751; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Gmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"/gmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017752; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible PHISH Remax - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"/hotmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017753; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017754; rev:2;) Parser failed - skipping rule \/\d{6}\.mp3$ uricontent:"/000000.mp3"; |---------------------| Building Rule: 2017755 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017756 -------- Hex Payload Start ---------- 47 6f 6f 6e 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017757 -------- Hex Payload Start ---------- 61 6d 46 32 59 53 39 73 59 57 35 6e 4c 31 4a 31 62 6e 52 70 62 57 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017758 -------- Hex Payload Start ---------- 70 68 64 6d 45 76 62 47 46 75 5a 79 39 53 64 57 35 30 61 57 31 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017759 -------- Hex Payload Start ---------- 71 59 58 5a 68 4c 32 78 68 62 6d 63 76 55 6e 56 75 64 47 6c 74 5a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017760 -------- Hex Payload Start ---------- 65 74 53 65 63 75 72 69 74 79 4d 61 6e 61 67 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017761 -------- Hex Payload Start ---------- 6a 61 76 61 2f 73 65 63 75 72 69 74 79 2f 50 72 6f 74 65 63 74 69 6f 6e 44 6f 6d 61 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017762 -------- Hex Payload Start ---------- 67 6c 61 73 73 66 69 73 68 2f 67 6d 62 61 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017763 -------- Hex Payload Start ---------- 79 76 36 36 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017764 -------- Hex Payload Start ---------- 6a 6d 78 2f 6d 62 65 61 6e 73 65 72 76 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017765 -------- Hex Payload Start ---------- 6d 62 65 61 6e 73 65 72 76 65 72 2f 49 6e 74 72 6f 73 70 65 63 74 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017766 -------- Hex Payload Start ---------- 67 6c 61 73 73 66 69 73 68 2f 65 78 74 65 72 6e 61 6c 2f 73 74 61 74 69 73 74 69 63 73 2f 69 6d 70 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017767 -------- Hex Payload Start ---------- 6d 61 6e 61 67 65 6d 65 6e 74 2f 4d 42 65 61 6e 53 65 72 76 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017768 -------- Hex Payload Start ---------- 73 75 6e 2e 6f 72 67 2e 6d 6f 7a 69 6c 6c 61 2e 6a 61 76 61 73 63 72 69 70 74 2e 69 6e 74 65 72 6e 61 6c 2e 43 6f 6e 74 65 78 74 20 73 75 6e 2e 6f 72 67 2e 6d 6f 7a 69 6c 6c 61 2e 6a 61 76 61 73 63 72 69 70 74 2e 69 6e 74 65 72 6e 61 6c 2e 47 65 6e 65 72 61 74 65 64 43 6c 61 73 73 4c 6f 61 64 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017769 -------- Hex Payload Start ---------- 43 41 46 45 42 41 42 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017770 -------- Hex Payload Start ---------- 74 72 61 63 69 6e 67 2f 50 72 6f 76 69 64 65 72 46 61 63 74 6f 72 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017771 -------- Hex Payload Start ---------- 6a 61 76 61 2f 61 77 74 2f 69 6d 61 67 65 20 52 61 73 74 65 72 20 53 61 6d 70 6c 65 4d 6f 64 65 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017772 -------- Hex Payload Start ---------- 6a 61 76 61 2f 61 77 74 2f 69 6d 61 67 65 2f 53 69 6e 67 6c 65 50 69 78 65 6c 50 61 63 6b 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017773 -------- Hex Payload Start ---------- 6a 61 76 61 2f 61 77 74 2f 69 6d 61 67 65 2f 4d 75 6c 74 69 50 69 78 65 6c 50 61 63 6b 65 64 --------- Hex Payload End ----------- ^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/00000000/1300000000.htm"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; uricontent:"/00000000/1300000000.htm"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017774; rev:9;) Parser failed - skipping rule ^[a-z0-9\+\/]+={0,2}$ content:"a"; |---------------------| Building Rule: 2017775 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5a 20 20 50 57 68 30 64 48 41 20 61 --------- Hex Payload End ----------- ^(?:\r\n|$) content:""; |---------------------| Building Rule: 2017776 -------- Hex Payload Start ---------- 0d 0a 0d 0a 64 33 52 6d 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017777 -------- Hex Payload Start ---------- 75 74 69 6c 69 74 79 43 6f 6e 74 72 6f 6c 6c 65 72 20 2e 74 61 6b 65 43 61 6d 65 72 61 50 69 63 74 75 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017778 -------- Hex Payload Start ---------- 75 74 69 6c 69 74 79 43 6f 6e 74 72 6f 6c 6c 65 72 20 67 65 74 47 61 6c 6c 65 72 79 49 6d 61 67 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017779 -------- Hex Payload Start ---------- 75 74 69 6c 69 74 79 43 6f 6e 74 72 6f 6c 6c 65 72 20 6d 61 6b 65 43 61 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017780 -------- Hex Payload Start ---------- 75 74 69 6c 69 74 79 43 6f 6e 74 72 6f 6c 6c 65 72 20 70 6f 73 74 54 6f 53 6f 63 69 61 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017781 -------- Hex Payload Start ---------- 75 74 69 6c 69 74 79 43 6f 6e 74 72 6f 6c 6c 65 72 20 73 65 6e 64 4d 61 69 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017782 -------- Hex Payload Start ---------- 75 74 69 6c 69 74 79 43 6f 6e 74 72 6f 6c 6c 65 72 20 73 65 6e 64 53 4d 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017783 -------- Hex Payload Start ---------- 75 74 69 6c 69 74 79 43 6f 6e 74 72 6f 6c 6c 65 72 20 72 65 67 69 73 74 65 72 4d 69 63 4c 69 73 74 65 6e 65 72 --------- Hex Payload End ----------- ^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"/AA/?a HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) Host: # "; |---------------------| Building Rule: Protocol Not Supported ^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"("fromCharcode""; |---------------------| Building Rule: 2017785 -------- Hex Payload Start ---------- 23 64 65 66 61 75 6c 74 23 56 4d 4c 20 73 74 72 6f 6b 65 20 76 69 73 69 62 69 6c 69 74 79 68 69 64 64 65 6e 20 41 72 72 61 79 20 28 22 66 72 6f 6d 43 68 61 72 63 6f 64 65 22 --------- Hex Payload End ----------- ^[^\s]*?\s*?\/[^\r\n\s]*?\?src= content:"/?src="; |---------------------| Building Rule: 2017786 -------- Hex Payload Start ---------- 3f 73 72 63 3d 20 72 65 71 75 65 73 74 3a 20 6d 69 63 72 6f 73 6f 66 74 5f 75 70 64 61 74 65 0d 0a 20 2f 3f 73 72 63 3d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"/send_sim_no.php"; http_uri; content:"mobile_no="; http_client_body; depth:16; content:"&datetime="; http_client_body; within:30; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017788 -------- Hex Payload Start ---------- 0d 0a 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 31 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 72 6f 64 75 63 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 20 75 70 64 61 74 65 64 2e 22 7d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017789 -------- Hex Payload Start ---------- 2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b --------- Hex Payload End ----------- ^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea content:"(0).keep.previous="contentArea"; |---------------------| Building Rule: 2017790 -------- Hex Payload Start ---------- 2e 6b 65 65 70 2e 70 72 65 76 69 6f 75 73 20 2e 72 65 73 6f 6c 76 65 4e 6f 64 65 20 28 30 29 2e 6b 65 65 70 2e 70 72 65 76 69 6f 75 73 3d 22 63 6f 6e 74 65 6e 74 41 72 65 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017791 -------- Hex Payload Start ---------- 20 20 4d 53 49 45 20 37 2e 30 20 71 3d 30 2e 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017792 -------- Hex Payload Start ---------- 62 75 74 20 6e 6f 20 6f 6e 65 20 62 65 6c 6c 20 75 6e 72 65 73 70 6f 6e 73 69 76 65 20 54 68 65 20 62 65 73 74 20 72 65 67 61 72 64 20 44 48 4c 2e 63 6f 6d 2e 20 66 69 6c 65 6e 61 6d 65 3d 4e 6f 74 69 63 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017794 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 46 6c 61 73 68 5f 45 78 70 6c 6f 69 74 28 29 20 7b --------- Hex Payload End ----------- ^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f NOT IMPL not _simple(av) in REPEATING CODES content:""687474703a2f2f"; |---------------------| Building Rule: 2017796 -------- Hex Payload Start ---------- 36 38 37 34 37 34 37 30 33 61 32 66 32 66 20 3c 61 70 70 6c 65 74 20 22 36 38 37 34 37 34 37 30 33 61 32 66 32 66 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:trojan-activity; sid:2017797; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017799 -------- Hex Payload Start ---------- 2f 76 61 72 2f 72 75 6e 2f 2e 7a 6f 6c 6c 61 72 64 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2017800 -------- Hex Payload Start ---------- 2f 76 61 72 2f 72 75 6e 2f 2e 7a 6f 6c 6c 61 72 64 2f --------- Hex Payload End ----------- [&?]pwd=dayoff(?:&|$) uricontent:"&pwd=dayoff"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds"; flow:to_server,established; content:"cmd="; http_uri; nocase; content:"pwd=dayoff"; http_uri; nocase; fast_pattern:only; uricontent:"&pwd=dayoff"; pcre:"/[&?]cmd=/Ui"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017801; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2017802 -------- Hex Payload Start ---------- 48 45 41 44 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=system"; http_client_body; nocase; content:"j_password=Passw0rd"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017803; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=system"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017804; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Monitor Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=monitor"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017805; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Operator Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=operator"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017806; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017807 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017808 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017809 -------- Hex Payload Start ---------- 0d 0a 0d 0a 7c 68 a3 34 36 36 37 38 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017810 -------- Hex Payload Start ---------- 6d 69 73 63 5f 61 64 64 6f 6e 73 5f 64 65 74 65 63 74 2e 68 61 73 53 69 6c 76 65 72 6c 69 67 68 74 --------- Hex Payload End ----------- ^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; |---------------------| Building Rule: 2017811 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 20 --------- Hex Payload End ----------- \/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php uricontent:"/load.php"; |---------------------| Building Rule: 2017813 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- \/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id= uricontent:"/.php?id="; |---------------------| Building Rule: 2017814 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017815 -------- Hex Payload Start ---------- 7c 50 6c 75 67 69 6e 44 65 74 65 63 74 7c --------- Hex Payload End ----------- ^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email) NOT IMPL Groupref content:"00a@a.0*H # #00"; |---------------------| Building Rule: 2017816 -------- Hex Payload Start ---------- 2a 86 48 86 f7 0d 01 09 01 20 30 30 61 40 61 2e 30 2a 86 48 86 f7 0d 01 09 01 30 30 --------- Hex Payload End ----------- ^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"0unction "; |---------------------| Building Rule: 2017817 -------- Hex Payload Start ---------- 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 3e 20 2e 20 66 20 30 75 6e 63 74 69 6f 6e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017818 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017819 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- [?&]isn_getlog uricontent:"?isn_getlog"; |---------------------| Building Rule: 2017820 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [?&]isn_logdel uricontent:"?isn_logdel"; |---------------------| Building Rule: 2017821 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- [?&]isn_logpath uricontent:"?isn_logpath"; |---------------------| Building Rule: 2017822 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:".$_$+.___+.$$$_+.$_$_+"\"+.__$+.$$_+.___+"\"+.__$+._$_+._$$+"\"+.__$+.$$_+.___+"\"+.__$+.$$_+._$_+.$_$_+"\"+.__$+.$$$+.__$"; |---------------------| Building Rule: 2017823 -------- Hex Payload Start ---------- 2e 5f 5f 24 2b 20 2e 24 5f 24 2b 2e 5f 5f 5f 2b 2e 24 24 24 5f 2b 2e 24 5f 24 5f 2b 22 5c 22 2b 2e 5f 5f 24 2b 2e 24 24 5f 2b 2e 5f 5f 5f 2b 22 5c 22 2b 2e 5f 5f 24 2b 2e 5f 24 5f 2b 2e 5f 24 24 2b 22 5c 22 2b 2e 5f 5f 24 2b 2e 24 24 5f 2b 2e 5f 5f 5f 2b 22 5c 22 2b 2e 5f 5f 24 2b 2e 24 24 5f 2b 2e 5f 24 5f 2b 2e 24 5f 24 5f 2b 22 5c 22 2b 2e 5f 5f 24 2b 2e 24 24 24 2b 2e 5f 5f 24 --------- Hex Payload End ----------- ^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\, content:"#)^.charCodeAt(#),"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Landing Page Dec 09 2013"; flow:from_server,established; content:".charCodeAt("; fast_pattern; content:"#)^.charCodeAt(#),"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:trojan-activity; sid:2017824; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017826 -------- Hex Payload Start ---------- 24 2e 67 65 74 56 65 72 73 69 6f 6e 28 22 53 69 6c 76 65 72 6c 69 67 68 74 22 29 20 24 2e 67 65 74 56 65 72 73 69 6f 6e 28 22 4a 61 76 61 22 29 20 63 61 6c 63 4d 44 35 28 65 6e 63 6f 64 65 5f 75 74 66 38 28 6c 6f 63 61 74 69 6f 6e --------- Hex Payload End ----------- \.html\?jar$ uricontent:".html?jar"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_header; content:".html%3fjar"; http_raw_uri; uricontent:".html?jar"; classtype:trojan-activity; sid:2017827; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2017828 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 53 63 61 6e 6e 69 6e 67 20 66 6f 72 20 6f 70 65 6e 20 70 6f 72 74 73 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2017829 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 4f 70 65 6e 20 70 6f 72 74 28 73 29 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017830 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 4e 6f 20 6f 70 65 6e 20 70 6f 72 74 73 20 66 6f 75 6e 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017831 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 41 74 74 61 63 6b 69 6e 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017832 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 41 74 74 61 63 6b 20 64 6f 6e 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017833 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 70 65 72 6c 62 30 74 20 76 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017834 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 53 63 61 6e 6e 69 6e 67 20 66 6f 72 20 75 6e 70 61 74 63 68 65 64 20 6d 61 6d 62 6f 20 66 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017835 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 45 78 70 6c 6f 69 74 65 64 20 62 6f 78 65 73 20 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018742 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \.bin$ uricontent:".bin"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; uricontent:".bin"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|"; http_header; depth:32; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/Hm"; classtype:trojan-activity; sid:2017836; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jar"; |---------------------| Building Rule: 2017840 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 20 20 20 --------- Hex Payload End ----------- ^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.eot"; |---------------------| Building Rule: 2017844 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- \/winhost(?:32|64)\.(exe|pack)$ uricontent:"/winhost.exe"; |---------------------| Building Rule: 2017842 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \/pony\.(exe|pack)$ uricontent:"/pony.exe"; |---------------------| Building Rule: 2017843 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017845 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2017846 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$ uricontent:"/?flow_id=0&0=0/case_id=0"; |---------------------| Building Rule: 2017847 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \.html\?sv=[1-5](\,\d+?){1,3}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".html?sv=1"; |---------------------| Building Rule: 2017848 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[\r\n\s]*?=[\r\n\s]*?(?:-[\r\n\s]*?\d|0[\r\n\s]*?-) content:"="; |---------------------| Building Rule: 2017849 -------- Hex Payload Start ---------- 2e 64 61 73 68 73 74 79 6c 65 2e 61 72 72 61 79 2e 6c 65 6e 67 74 68 20 3d --------- Hex Payload End ----------- \.html\?id\d*?=[a-f0-9]{32}$ uricontent:".html?id=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; uricontent:".html?id=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; pcre:"/GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:2;) Parser failed - skipping rule \/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f uricontent:"/.php?a=687474703a2f2f"; |---------------------| Building Rule: 2017851 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017852 -------- Hex Payload Start ---------- 3c 62 6f 64 79 20 6f 6e 6c 6f 61 64 3d 27 45 78 70 6c 6f 69 74 28 29 3b 27 3e 20 3a 73 74 72 6f 6b 65 --------- Hex Payload End ----------- \/lib\/admin\/media-upload(?:-lncthumb|-sq_button)?\.php NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/lib/admin/media-upload.php"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File Upload"; flow:to_server,established; content:"POST"; http_method; content:"/lib/admin/media-upload"; http_uri; uricontent:"/lib/admin/media-upload.php"; content:"<?"; http_client_body; content:".php"; http_client_body; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017853; rev:2;) Parser failed - skipping rule \/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php uricontent:"/wp-content/uploads/optpress/images_/.php"; |---------------------| Building Rule: 2017854 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017855 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017856 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017857 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- ^\x2F(?:acheb|bajree|cyacrin|dauber|eaves)\x2Easpx\x3FRandom\x3D[a-z]{16}$ uricontent:"/.aspx?Random=aaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Ke3chang.BMW.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:35<>37; content:".aspx?Random="; http_uri; fast_pattern:only; uricontent:"/.aspx?Random=aaaaaaaaaaaaaaaa"; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017858; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017859 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017860 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- ^\/\d{4,5}\/\d{7}$ uricontent:"/0000/0000000"; |---------------------| Building Rule: 2017861 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- \/pdf\.php\?pdf=[a-f0-9]{32}& uricontent:"/pdf.php?pdf=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&"; |---------------------| Building Rule: 2017862 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/java\.php\?eid=[a-f0-9]{32}& uricontent:"/java.php?eid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&"; |---------------------| Building Rule: 2017863 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 20 --------- Hex Payload End ----------- [&?]type=\d+(?:$|&) uricontent:"&type=0"; |---------------------| Building Rule: 2017864 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017865 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017866 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017867 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017868 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017869 -------- Hex Payload Start ---------- 47 45 54 20 20 2f 66 69 6e 61 6c 2e 68 74 6d 6c --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \x22mining\x2E(subscribe|authorize)\x22 content:""mining.subscribe""; |---------------------| Building Rule: 2017871 -------- Hex Payload Start ---------- 7b 22 69 64 22 3a 20 22 6d 65 74 68 6f 64 22 3a 20 22 6d 69 6e 69 6e 67 2e 20 22 70 61 72 61 6d 73 22 20 22 6d 69 6e 69 6e 67 2e 73 75 62 73 63 72 69 62 65 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017872 -------- Hex Payload Start ---------- 22 72 65 73 75 6c 74 22 3a 20 5b 5b 22 6d 69 6e 69 6e 67 2e 6e 6f 74 69 66 79 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017873 -------- Hex Payload Start ---------- 22 70 61 72 61 6d 73 22 3a 20 5b 22 22 6d 65 74 68 6f 64 22 3a 20 22 6d 69 6e 69 6e 67 2e 6e 6f 74 69 66 79 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017874 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))) content:""; |---------------------| Building Rule: 2017875 -------- Hex Payload Start ---------- 20 70 61 74 68 3d 20 --------- Hex Payload End ----------- ^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c content:"00000000 x"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5"; flow:to_server,established; dsize:>11; content:"|78 9c|"; fast_pattern:only; byte_jump:4,0,little,post_offset 1; isdataat:!2,relative; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; content:"00000000 x"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017876; rev:2;) Parser failed - skipping rule ^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c content:"00000000 x"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6"; flow:to_server,established; dsize:>11; content:"|78 9c|"; fast_pattern:only; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; content:"00000000 x"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017877; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017878 -------- Hex Payload Start ---------- 7b 22 69 64 22 3a 20 22 6d 65 74 68 6f 64 22 3a 20 22 67 65 74 62 6c 6f 63 6b 74 65 6d 70 6c 61 74 65 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017879 -------- Hex Payload Start ---------- 22 72 65 73 75 6c 74 22 3a 20 7b 20 22 63 6f 69 6e 62 61 73 65 74 78 6e 22 3a 20 7b 20 22 64 61 74 61 22 3a 20 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017880 -------- Hex Payload Start ---------- 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 5f 49 6e 65 74 63 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017881 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 5f 49 6e 65 74 63 20 28 4d 6f 7a 69 6c 6c 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017882 -------- Hex Payload Start ---------- 2e 2e 2f 2e 2e 2f 20 26 77 74 3d 78 73 6c 74 20 26 74 72 3d --------- Hex Payload End ----------- ^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl) content:"A5leG"; |---------------------| Building Rule: 2017884 Protocol Not Supported ^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl) content:"A5leG"; |---------------------| Building Rule: 2017885 Protocol Not Supported |---------------------| Building Rule: 2017886 Protocol Not Supported ^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb) content:"AuY29t"; |---------------------| Building Rule: 2017887 Protocol Not Supported ^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb) content:"AuY29t"; |---------------------| Building Rule: 2017888 Protocol Not Supported ^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3) content:"ALnNjc"; |---------------------| Building Rule: 2017889 Protocol Not Supported ^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3) content:"ALnNjc"; |---------------------| Building Rule: 2017890 Protocol Not Supported |---------------------| Building Rule: 2017891 -------- Hex Payload Start ---------- 0d 0a 0d 0a 3c 41 44 3e 3c 54 49 50 41 44 3e 3c 50 4f 50 55 50 3e 3c 52 45 47 3e 48 4b 45 59 5f 4c 4f 43 41 4c 5f 4d 41 43 48 49 4e 45 5c 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2017892 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- \/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$ uricontent:"/?ALvoDc0RHa8NnZ"; |---------------------| Building Rule: 2017893 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017894 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/(?:[A-Fa-f0-9]+|index\.php)$ uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kuluoz/Asprox Activity"; flow:established,to_server; content:"POST"; http_method; uricontent:"/"; content:"|80 00 00 00|"; depth:4; http_client_body; content:!"Referer"; http_header; flowbits:set,ET.Kuluoz; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2017895; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; content:"Jm9zX2ZsYXZvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; content:"Zvc19mbGF2b3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; content:"mb3NfZmxhdm9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:4;) Parser failed - skipping rule ^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA]) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"<</##"; |---------------------| Building Rule: 2017899 -------- Hex Payload Start ---------- 0d 0a 0d 0a 25 50 44 46 2d 20 6f 62 6a 20 3c 3c 2f 23 23 --------- Hex Payload End ----------- ^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>> NOT IMPL not _simple(av) in REPEATING CODES content:" 0/[//]>>"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit 2013-3346"; flow:established,from_server; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; content:" 0/[//]>>"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:trojan-activity; sid:2017900; rev:4;) Parser failed - skipping rule ^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n NOT IMPL Groupref content:"GET /4aaaaaaaaaaaaa HTTP/1.0 Referer: http://#/ "; |---------------------| Building Rule: Protocol Not Supported ^\/3[a-z0-9]{13}$ uricontent:"/3aaaaaaaaaaaaa"; |---------------------| Building Rule: 2017902 -------- Hex Payload Start ---------- 20 3a 20 2e 20 0d 0a 0d 0a --------- Hex Payload End ----------- \/([^\x2f]+?\/)?[a-z-_]+?\.(php|html)$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/a.php"; |---------------------| Building Rule: 2017903 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 39 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 2e 20 20 --------- Hex Payload End ----------- \/4[a-z0-9]{13}\?&xkey= uricontent:"/4aaaaaaaaaaaaa?&xkey="; |---------------------| Building Rule: 2017904 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017905 -------- Hex Payload Start ---------- 2f 54 4d 28 67 61 77 67 65 77 61 66 67 77 65 5b 30 5d 2e 23 73 75 62 66 6f 72 6d 5b 30 5d --------- Hex Payload End ----------- \/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$ uricontent:"/0.0.0.0.aso"; |---------------------| Building Rule: 2017906 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*?\.charCodeAt[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*[\r\n\s]*?\)[\r\n\s]*?\^[\r\n\s]*?[a-zA-Z_$][^\r\n\s]*\.charCodeAt[\r\n\s]*?\( content:"(a.charCodeAt(a)^a.charCodeAt("; |---------------------| Building Rule: 2017907 -------- Hex Payload Start ---------- 6a 61 76 61 66 78 5f 76 65 72 73 69 6f 6e 20 66 72 6f 6d 43 68 61 72 43 6f 64 65 20 28 61 2e 63 68 61 72 43 6f 64 65 41 74 28 61 29 5e 61 2e 63 68 61 72 43 6f 64 65 41 74 28 20 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 20 61 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017908 -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 69 c3 34 55 6d 33 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017909 -------- Hex Payload Start ---------- 0d 0a 0d 0a ca fe d0 0d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017910 -------- Hex Payload Start ---------- 0d 0a 0d 0a 1f 8b 08 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017911 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?report_version="; http_uri; content:"data="; http_client_body; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017912; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x95 content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:to_server,established; dsize:>11; content:"|79 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017913; rev:3;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x99 content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:to_server,established; dsize:>11; content:"|79 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:trojan-activity; sid:2017914; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7a\x9b content:" 00000000z"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:to_server,established; dsize:>11; content:"|7a 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000z"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:trojan-activity; sid:2017915; rev:2;) Parser failed - skipping rule ^.{4}[\x20-\x7e]+?.{4}\x78\x9c content:"0000 0000x"; |---------------------| Building Rule: 2017916 -------- Hex Payload Start ---------- 78 9c 20 30 30 30 30 20 30 30 30 30 78 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017922 Error here depth! -------- Hex Payload Start ---------- 20 20 00 00 42 42 43 42 43 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017925 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 07 62 72 69 64 67 65 73 0a 74 6f 72 70 72 6f 6a 65 63 74 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017926 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 05 63 68 65 63 6b 0a 74 6f 72 70 72 6f 6a 65 63 74 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2017928 -------- Hex Payload Start ---------- 00 14 63 68 65 63 6b 2e 74 6f 72 70 72 6f 6a 65 63 74 2e 6f 72 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017929 -------- Hex Payload Start ---------- 00 16 62 72 69 64 67 65 73 2e 74 6f 72 70 72 6f 6a 65 63 74 2e 6f 72 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017930 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017931 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 28 73 2c 61 2c 63 2c 6b 2c 65 2c 64 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^.{8}[\x20-\x7e]+?.{5}\x7b\x9e content:"00000000 00000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning; isdataat:!7,relative; content:"00000000 00000{"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017934; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2017935 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 00 00 20 20 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017936 -------- Hex Payload Start ---------- 78 9c 0b cf cc --------- Hex Payload End ----------- |---------------------| Building Rule: 2017940 -------- Hex Payload Start ---------- 77 77 77 2e 77 68 6f 69 73 6d 61 6d 61 2e 72 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017941 -------- Hex Payload Start ---------- 77 77 77 2e 64 65 77 65 61 72 74 2e 72 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017942 -------- Hex Payload Start ---------- 77 77 77 2e 61 6e 6c 6f 67 74 65 77 72 6f 6e 2e 72 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017943 -------- Hex Payload Start ---------- 77 77 77 2e 65 72 6a 65 6e 74 72 6f 6e 65 6d 2e 72 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017937 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 73 61 2d 63 72 61 77 6c 65 72 0d 0a --------- Hex Payload End ----------- ^.{8}[\x20-\x7e]+?.{5}\x7c\x9e content:"00000000 00000|"; Parser failed - skipping rule ^.{8}[\x20-\x7e]+?\x79\x94 content:"00000000 y"; |---------------------| Building Rule: 2017944 Error here depth! Error here depth! -------- Hex Payload Start ---------- 20 20 08 01 20 20 20 20 20 20 20 20 20 79 94 20 30 30 30 30 30 30 30 30 20 79 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$ uricontent:"/debug/Version/0_0_0_00/trace/"; |---------------------| Building Rule: 2017945 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 20 3a 20 2e --------- Hex Payload End ----------- ^\/debug\/trace\/(?:Fw(?:Downloaded|Check)|N(?:oFw|sis))$ uricontent:"/debug/trace/"; |---------------------| Building Rule: 2017946 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 0d 0a 20 3a 20 41 63 63 65 70 74 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LDPinch Checkin Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; distance:0; http_client_body; content:"&d="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; classtype:trojan-activity; sid:2017948; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017949 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 4f 43 41 0d 0a 20 2e 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017950 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017951 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 50 48 50 20 53 68 65 6c 6c 20 6f 66 66 65 6e 64 65 72 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; content:"work_dir="; http_client_body; content:"command="; http_client_body; content:"submit_btn=Execute+Command"; http_client_body; classtype:web-application-attack; sid:2017952; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017953 -------- Hex Payload Start ---------- 77 69 6e 64 6f 77 2e 47 65 74 4b 65 79 20 77 69 6e 64 6f 77 2e 47 65 74 55 72 6c 61 48 52 30 63 44 6f 76 20 23 64 65 66 61 75 6c 74 23 56 4d 4c --------- Hex Payload End ----------- ^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27] content:"aODAvMaaaaaaaaaaaaaaaaaa""; |---------------------| Building Rule: 2017954 -------- Hex Payload Start ---------- 4f 44 41 76 4d 20 2e 47 65 74 55 72 6c 20 61 48 52 30 63 44 6f 20 61 4f 44 41 76 4d 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 22 --------- Hex Payload End ----------- ^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES content:"a4MC8xaaaaaaaaaaaaaaaaaa""; |---------------------| Building Rule: 2017955 -------- Hex Payload Start ---------- 34 4d 43 38 78 20 2e 47 65 74 55 72 6c 20 61 48 52 30 63 44 6f 20 61 34 4d 43 38 78 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 22 --------- Hex Payload End ----------- ^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27] content:"aOjgwLaaaaaaaaaaaaaaaaaaa""; |---------------------| Building Rule: 2017956 -------- Hex Payload Start ---------- 4f 6a 67 77 4c 20 2e 47 65 74 55 72 6c 20 61 48 52 30 63 44 6f 20 61 4f 6a 67 77 4c 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 22 --------- Hex Payload End ----------- ^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep) NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"#10097115104115116121108101469711411497121"; |---------------------| Building Rule: 2017957 -------- Hex Payload Start ---------- 6a 61 76 61 66 78 5f 76 65 72 73 69 6f 6e 20 34 36 20 00 31 30 30 39 37 31 31 35 31 30 34 31 31 35 31 31 36 31 32 31 31 30 38 31 30 31 34 36 39 37 31 31 34 31 31 34 39 37 31 32 31 --------- Hex Payload End ----------- \bdig\.dll\b content:"dig.dll"; |---------------------| Building Rule: 2017958 -------- Hex Payload Start ---------- 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c 20 64 69 67 2e 64 6c 6c 20 64 69 67 2e 64 6c 6c --------- Hex Payload End ----------- ^\x2F(?:policy|cache)$ uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Mevade.Variant CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"uuid|3A 20|"; http_header; content:!"User-Agent|3A|"; http_header; content:"|C8 71 04 ED 87 F6 DD 77 87|"; http_client_body; depth:9; uricontent:"/"; reference:url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:trojan-activity; sid:2017959; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2017960 -------- Hex Payload Start ---------- 58 2d 53 74 72 61 74 75 6d 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2017962 -------- Hex Payload Start ---------- 0d 0a 0d 0a 34 44 35 41 35 30 34 35 30 30 --------- Hex Payload End ----------- ^.{16}[a-z]{3}\.dll content:"0000000000000000aaa.dll"; |---------------------| Building Rule: 2017963 Error here within! Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 50 4b 01 02 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c 20 50 4b 01 02 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 07 00 20 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 61 61 61 2e 64 6c 6c 20 50 4b 05 06 20 20 20 20 02 00 02 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017964 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3;) Parser failed - skipping rule ^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$ uricontent:"/20100000/000000/00000.jsp"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; content:"POST"; http_method; content:"/201"; http_uri; fast_pattern:only; content:".jsp"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.2|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 2.0.50727|3b 20|InfoPath.1)|0d 0a|"; http_header; content:!"Accept-Language|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; uricontent:"/20100000/000000/00000.jsp"; threshold:type both,track by_src,count 2,seconds 60; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:trojan-activity; sid:2017967; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018095 -------- Hex Payload Start ---------- 47 45 54 20 2f 6c 61 75 6e 63 68 2f 3f 63 3d 20 74 20 3a 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PWS.Win32/Daceluw.A Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:12; content:"/wow/wow.asp"; depth:12; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"&WOWID="; depth:7; http_client_body; content:"&Area="; distance:0; http_client_body; content:"&WU="; distance:0; http_client_body; content:"&WP="; distance:0; http_client_body; content:"&MAX="; distance:0; http_client_body; content:"&Gold="; distance:0; http_client_body; content:"&Serv="; distance:0; http_client_body; content:"&rn="; distance:0; http_client_body; content:"&key="; distance:0; http_client_body; reference:url,xylibox.com/2014/01/trojwowspy-a.html; classtype:trojan-activity; sid:2017970; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018617 -------- Hex Payload Start ---------- 47 45 54 20 20 43 68 72 6f 6d 65 2f 31 38 2e 30 2e 31 30 32 35 2e 31 34 32 20 53 61 66 61 72 69 2f 35 33 35 2e 31 39 0d 0a 48 6f 73 74 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Possible Process Dump in POST body"; flow:established,to_server; content:"POST"; http_method; content:"System Idle Process"; fast_pattern:only; http_client_body; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; classtype:trojan-activity; sid:2017968; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2017969 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- ^\/[a-z]+?\?[a-z]+?=[a-z]+$ uricontent:"/a?a=a"; |---------------------| Building Rule: 2017971 -------- Hex Payload Start ---------- 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 2e --------- Hex Payload End ----------- [a-f0-9]{32}\?v= uricontent:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?v="; |---------------------| Building Rule: 2018195 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ICEFOG JAVAFOG JAR checkin"; flow:to_server; content:"POST"; http_method; content:"?title=2.0_-"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Java"; http_header; content:"content=HostName|3a 20|"; depth:18; http_client_body; content:"|0d 0a|Java Version|3a 20|"; distance:0; http_client_body; content:"|0d 0a 20|HostIp|3a 20|"; distance:0; http_client_body; content:!"Accept-Language|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; reference:url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998; classtype:trojan-activity; sid:2017972; rev:4;) Parser failed - skipping rule ^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:to_server,established; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:trojan-activity; sid:2017974; rev:2;) Parser failed - skipping rule ^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$ uricontent:"/a?thread=0&key=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2017975 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017977 Error here within! Error here within! -------- Hex Payload Start ---------- 55 04 03 20 10 63 61 72 64 69 66 66 70 6f 77 65 72 2e 63 6f 6d 55 04 03 20 10 63 61 72 64 69 66 66 70 6f 77 65 72 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017978 -------- Hex Payload Start ---------- 02 07 04 81 e4 de 05 6a 5a 0b 6d 61 72 63 68 73 66 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017979 -------- Hex Payload Start ---------- 02 07 2b 00 ee 19 5e ab 1f 10 63 61 6c 69 66 6f 72 6e 69 61 38 39 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017981 -------- Hex Payload Start ---------- 02 07 27 7d 65 4a cd bf 4e 17 77 77 77 2e 74 68 65 62 6f 73 74 6f 6e 73 68 61 6b 65 72 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2017980 -------- Hex Payload Start ---------- 31 39 39 31 36 45 30 31 2d 42 34 34 45 2d 34 45 33 31 2d 39 34 41 34 2d 34 36 39 36 44 46 34 36 31 35 37 42 --------- Hex Payload End ----------- ^(?:4\x00[1-9a-f]|5\x00[\da]) content:""; |---------------------| Building Rule: 2017983 Error here within! -------- Hex Payload Start ---------- 00 2d 00 68 00 20 00 32 00 66 00 20 20 00 33 00 61 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017984 -------- Hex Payload Start ---------- 0d 0a 0d 0a 2c 36 f4 6f 6d 6a 66 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017985 -------- Hex Payload Start ---------- 0d 0a 0d 0a 2c 3e f2 32 30 34 6e 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017986 -------- Hex Payload Start ---------- 0d 0a 0d 0a 7d 6b f8 64 76 74 6e 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017987 -------- Hex Payload Start ---------- 12 77 77 77 2e 61 70 70 73 72 65 64 65 65 6d 2e 63 6f 6d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:to_server,established; dsize:>11; content:"|7d 9b|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:trojan-activity; sid:2017988; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2017989 -------- Hex Payload Start ---------- 0d 0a 0d 0a 21 3b e3 70 65 6e 66 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2017992 -------- Hex Payload Start ---------- 20 20 20 48 54 54 50 2f 31 2e 30 0d 0a 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 0d 0a --------- Hex Payload End ----------- ^[\r\n\s]*?\([^\)]*?[\x22\x27]# content:"("#"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; content:"("#"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:trojan-activity; sid:2017993; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported &id=[a-f0-9]{8}(-[a-f0-9]{4}){4}[a-f0-9]{8}&os= NOT IMPL not _simple(av) in REPEATING CODES uricontent:"&id=aaaaaaaaaaaaaaaa&os="; |---------------------| Building Rule: 2018198 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018664 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 --------- Hex Payload End ----------- ^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x) content:"a"; |---------------------| Building Rule: 2017995 -------- Hex Payload Start ---------- 59 32 31 6b 4c 6d 56 34 5a 53 41 20 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x) content:"a"; |---------------------| Building Rule: 2017996 -------- Hex Payload Start ---------- 4e 74 5a 43 35 6c 65 47 55 67 20 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x) content:"a"; |---------------------| Building Rule: 2017997 -------- Hex Payload Start ---------- 6a 62 57 51 75 5a 58 68 6c 49 20 61 --------- Hex Payload End ----------- \/\d+\.mp3\x3frnd\x3d\d+$ uricontent:"/0.mp3?rnd=0"; |---------------------| Building Rule: 2017998 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org) NOT IMPL Groupref content:"00a00##U# 00"; |---------------------| Building Rule: Protocol Not Supported [\?&]p=\d&t=\d(&|$) uricontent:"?p=0&t=0&"; |---------------------| Building Rule: 2018110 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 45 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17"; flow:to_server,established; dsize:>11; content:"AngeL"; depth:5; byte_jump:4,0,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2018007; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018008 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6e 65 74 77 6f 72 6b 73 65 63 75 72 69 74 79 78 05 68 6f 70 74 6f 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018011 -------- Hex Payload Start ---------- 30 78 33 64 63 64 65 31 26 26 20 30 78 34 65 32 30 37 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018012 -------- Hex Payload Start ---------- 56 41 47 41 41 2d 4f 50 45 52 41 54 49 4f 4e 3a 20 54 72 61 6e 73 66 65 72 0d 0a --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x7b\x9e content:" 00000000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000{"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:trojan-activity; sid:2018013; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018014 Error here within! -------- Hex Payload Start ---------- 01 27 00 00 05 00 00 00 09 6e 6f 64 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 72 6f 74 6f 6d 69 6e 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018015 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 4c 69 6d 69 74 6c 65 73 73 20 4c 6f 67 67 65 72 20 3a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018016 -------- Hex Payload Start ---------- 4c 69 6d 69 74 6c 65 73 73 20 4c 6f 67 67 65 72 20 73 75 63 63 65 73 73 66 75 6c 6c 79 20 72 61 6e 20 6f 6e 20 74 68 69 73 20 63 6f 6d 70 75 74 65 72 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018017 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 50 72 65 64 61 74 6f 72 20 4c 6f 67 67 65 72 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018018 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 43 69 67 69 43 69 67 69 20 4c 6f 67 67 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018019 -------- Hex Payload Start ---------- 66 69 6c 65 6e 61 6d 65 3d 20 50 43 5f 41 63 74 69 76 65 5f 54 69 6d 65 2e 74 78 74 20 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018023 -------- Hex Payload Start ---------- 47 45 54 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018024 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 70 64 61 74 65 72 52 65 73 70 6f 6e 73 65 20 2e 20 20 --------- Hex Payload End ----------- ^\x2F[A-F0-9]{25,40}$ uricontent:"/AAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2018025 -------- Hex Payload Start ---------- 50 4f 53 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 70 64 61 74 65 72 52 65 73 70 6f 6e 73 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018026 -------- Hex Payload Start ---------- 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018027 -------- Hex Payload Start ---------- 53 00 54 00 41 00 52 00 54 00 53 00 45 00 52 00 56 00 45 00 52 00 42 00 55 00 46 00 46 00 45 00 52 --------- Hex Payload End ----------- \?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-f]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d uricontent:"?uid=00000000&ver=0.00&mk=000000&os=A&rs=a&c=0&rq=0"; |---------------------| Building Rule: 2018028 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- ^\/[a-f0-9]{8}\.swf$ uricontent:"/aaaaaaaa.swf"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; uricontent:"/aaaaaaaa.swf"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018031 -------- Hex Payload Start ---------- 5f 64 73 67 77 65 65 64 2e 63 6c 61 73 73 --------- Hex Payload End ----------- ^.{4}[\x20-\x7e]+?.{4}\x78\x9c content:"0000 0000x"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; content:"0000 0000x"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:trojan-activity; sid:2018032; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018033 -------- Hex Payload Start ---------- 0d 0a 53 75 62 6a 65 63 74 3a 20 54 65 6e 49 6e 66 65 63 74 0d 0a 0d 0a 54 65 6e 49 6e 66 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018034 -------- Hex Payload Start ---------- 43 48 45 47 4f 55 2d 4e 4f 49 53 20 7c 20 50 4c 55 47 49 4e 3a 20 20 7c 20 42 52 4f 57 53 45 52 3a --------- Hex Payload End ----------- ^[\x22\x27] content:"""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Jan 29 2014"; flow:from_server,established; content:"<applet"; fast_pattern:only; content:".exe"; content:"""; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2018036 -------- Hex Payload Start ---------- 0d 0a 0d 0a 53 4f 4c 41 52 00 4d 5a 50 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018037 -------- Hex Payload Start ---------- 25 36 36 25 37 35 25 36 65 25 36 33 25 37 34 25 36 39 25 36 66 25 36 65 25 32 30 25 37 32 25 36 35 25 36 34 25 36 39 25 37 32 25 36 35 25 36 33 25 37 34 20 25 36 36 25 37 35 25 36 65 25 36 33 25 37 34 25 36 39 25 36 66 25 36 65 25 32 30 25 36 33 25 37 32 25 36 35 25 36 31 25 37 34 25 36 35 25 34 33 25 36 66 25 36 66 25 36 62 25 36 39 25 36 35 20 25 36 34 25 36 66 25 35 32 25 36 35 25 36 34 25 36 39 25 37 32 25 36 35 25 36 33 25 37 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018038 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018039 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018040 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- \/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$ uricontent:"/viewtopic.php?#=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="; |---------------------| Building Rule: 2018041 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018042 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 41 70 70 6c 65 20 2d 20 55 70 64 61 74 65 20 59 6f 75 72 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018043 -------- Hex Payload Start ---------- 45 6e 74 65 72 20 79 6f 75 72 20 70 61 73 73 77 6f 72 64 20 56 65 72 69 66 69 65 64 20 62 79 20 56 69 73 61 20 2f 20 4d 61 73 74 65 72 43 61 72 64 20 53 65 63 75 72 65 43 6f 64 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Visa - Creds Phished"; flow:established,to_server; content:"/vbv.php"; http_uri; fast_pattern; content:"password="; http_client_body; classtype:trojan-activity; sid:2018044; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018045 -------- Hex Payload Start ---------- 20 6d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/forumdisplay.php?fid="; http_uri; content:"id="; http_client_body; depth:3; content:"&info="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/neverquest-banking-trojan-wild; classtype:trojan-activity; sid:2018047; rev:2;) Parser failed - skipping rule \x2Fv[0-9]{3,4}[\x2F\x3F] uricontent:"/v000/"; |---------------------| Building Rule: 2018048 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018049 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 58 45 32 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018050 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 58 45 32 20 20 20 2e 20 20 --------- Hex Payload End ----------- ^\d+?\/(?:\d+?\/-?\d+?\.(?:php|jsp))?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"0/"; |---------------------| Building Rule: 2019201 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 32 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 3b 20 49 6e 66 6f 50 61 74 68 2e 31 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018051 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 31 31 61 0d 0a --------- Hex Payload End ----------- \/[a-z0-9]{1,31}\.bin$ uricontent:"/a.bin"; |---------------------| Building Rule: 2018052 -------- Hex Payload Start ---------- 47 45 54 20 20 3a 20 3a 20 20 4d 53 49 45 20 20 53 20 2e 20 0a 20 2e 20 2e 20 2e 20 0a 20 0d 0a 0d 0a --------- Hex Payload End ----------- ^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27] content:"A.php?id=000000""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect 8x8 script tag"; flow:established,from_server; content:".php?id="; content:"/"; distance:-17; within:1; content:"A.php?id=000000""; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:5;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7d\x99 content:" 00000000}"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20"; flow:to_server,established; dsize:>11; content:"|7d 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000}"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a037b3241c0b957efe6037b25570292f; classtype:trojan-activity; sid:2018054; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2018055 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 20 0d 0a 0d 0a 5a 5a 50 00 --------- Hex Payload End ----------- ^\s+?[^\s\>]+?\s+?SYSTEM\s content:" # SYSTEM "; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"DOCTYPE"; http_client_body; nocase; fast_pattern:only; content:"SYSTEM"; nocase; http_client_body; content:"ENTITY"; nocase; content:" # SYSTEM "; classtype:trojan-activity; sid:2018056; rev:2;) Parser failed - skipping rule ^.{8}\x70\x94[\x20-\x7e] content:"00000000p "; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:"00000000p "; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3ae76f6b76e743fd8063e1831236ce24; classtype:trojan-activity; sid:2018057; rev:3;) Parser failed - skipping rule ^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"_#_#_#.#t#x#t"; |---------------------| Building Rule: 2018058 -------- Hex Payload Start ---------- 53 4d 42 a2 5c 00 57 00 49 00 4e 00 44 00 4f 00 57 00 53 00 5c 00 74 00 77 00 61 00 69 00 6e 00 5f 00 33 00 32 00 5c 20 5f 00 5f 00 5f 00 2e 00 74 00 78 00 74 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018059 -------- Hex Payload Start ---------- 53 4d 42 4d 31 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018060 -------- Hex Payload Start ---------- 53 4d 42 4d 66 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018061 -------- Hex Payload Start ---------- 53 4d 42 4d 68 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018062 -------- Hex Payload Start ---------- 53 4d 42 4d 6c 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018063 -------- Hex Payload Start ---------- 53 4d 42 54 31 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018064 -------- Hex Payload Start ---------- 53 4d 42 54 66 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018065 -------- Hex Payload Start ---------- 53 4d 42 54 68 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018066 -------- Hex Payload Start ---------- 53 4d 42 54 6c 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018067 -------- Hex Payload Start ---------- 53 4d 42 73 68 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl]) content:"aaaaaaaa"; |---------------------| Building Rule: 2018068 -------- Hex Payload Start ---------- 53 4d 42 73 6c 20 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x7d\x9e content:" 00000000}"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22"; flow:to_server,established; dsize:>11; content:"|7d 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000}"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2018069; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2018071 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018072 -------- Hex Payload Start ---------- 53 49 5a 45 20 6c 69 62 63 75 72 6c 2d 34 2e 64 6c 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018073 -------- Hex Payload Start ---------- 53 49 5a 45 20 65 78 70 6c 6f 72 65 2e 76 62 73 0d 0a --------- Hex Payload End ----------- \.php\?a1=\d+&a2=(?:[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}|(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}))(?:&a\d+=[^&]+)+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".php?a1=0&a2="; |---------------------| Building Rule: 2018074 -------- Hex Payload Start ---------- 20 3a 20 2e --------- Hex Payload End ----------- ^.{8}[\x20-\x7e]+?.{2}\x78\x9c content:"00000000 00x"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-18,relative,little,from_beginning, post_offset 1; isdataat:!2,relative; content:"00000000 00x"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:trojan-activity; sid:2018075; rev:3;) Parser failed - skipping rule ^.{8}[\x20-\x7e]+?\x7c\x9f content:"00000000 |"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24"; flow:to_server,established; dsize:>11; content:"|7c 9f|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; content:"00000000 |"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,0be9e3f4507a8ee23bb0c2b6c218d1cc; classtype:trojan-activity; sid:2018076; rev:3;) Parser failed - skipping rule ^[\x20-\x7e]+?.{10}\x7a\x5d content:" 0000000000z]"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25"; flow:to_server,established; dsize:>11; content:"|7a 5d|"; offset:8; byte_jump:4,-12,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 0000000000z]"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,794eac549f98320b818037b8074da320; classtype:trojan-activity; sid:2018077; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"crypt"; http_client_body; depth:5; content:"="; http_client_body; within:3; reference:md5,9d11cfb7799089823483b72daec5fd2b; reference:md5,a01451eae2d47872ce796bb85f116710; classtype:trojan-activity; sid:2018079; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018080 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018081 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018082 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018083 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018084 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 65 74 74 69 6e 67 41 6e 73 77 65 72 --------- Hex Payload End ----------- ^.{4}[\x20-\x7e]+?.{4}\x71\x94 content:"0000 0000q"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26"; flow:to_server,established; dsize:>11; content:"|71 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; content:"0000 0000q"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,b316680fd2578a2781ee9497888bd1e4; classtype:trojan-activity; sid:2018085; rev:2;) Parser failed - skipping rule ^.{42}([[:print:]]{1,200}\.([a-z]{3,4})|[[:print:]]{1,100}[_ ]{10,200})\.(scr|exe|cpl) content:"000000000000000000000000000000000000000000[].aaa.scr"; |---------------------| Building Rule: 2018086 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 01 02 20 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 5b 5d 2e 61 61 61 2e 73 63 72 20 50 4b 05 06 20 20 20 20 01 00 01 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018087 -------- Hex Payload Start ---------- 43 50 6c 41 70 70 6c 65 74 --------- Hex Payload End ----------- type limit, track by_src, seconds 300, count 1 |---------------------| Building Rule: 2018088 -------- Hex Payload Start ---------- 43 6f 6f 6b 69 65 3a 20 42 45 45 46 53 45 53 53 49 4f 4e 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018089 -------- Hex Payload Start ---------- 0b 42 6f 76 69 6e 65 20 4c 61 6e 64 20 1e 42 72 6f 77 73 65 72 20 45 78 70 6c 6f 69 74 61 74 69 6f 6e 20 46 72 61 6d 65 77 6f 72 6b --------- Hex Payload End ----------- ^\s*?\( content:"("; type limit, track by_src, seconds 300, count 1 |---------------------| Building Rule: 2018090 -------- Hex Payload Start ---------- 62 65 65 66 2e 65 78 65 63 75 74 65 20 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018091 -------- Hex Payload Start ---------- 6d 61 6b 65 50 61 79 6c 6f 61 64 57 69 6e --------- Hex Payload End ----------- URLPARAMETER\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a uricontent:"URLPARAMETER=:"; |---------------------| Building Rule: 2018092 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018093 -------- Hex Payload Start ---------- 52 65 73 75 6c 74 20 52 65 70 6f 72 74 73 20 53 65 72 76 65 72 20 43 6f 6d 6d 61 6e 64 75 73 65 72 69 64 3d 2f 40 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\x2Fb\x2Feve\x2F[a-f0-9]{24}$ uricontent:"/b/eve/aaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018096 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement"; flow:established,to_client; content:"200"; http_stat_code; content:"<html><body>hi!<|2F|body><|2F|html>"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018097; rev:3;) Parser failed - skipping rule ^\x2Fb\x2F[a-z]{3,4}\x2F[a-f0-9]{24}$ uricontent:"/b/aaa/aaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018098 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Rshot.Backdoor File Upload CnC Beacon"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/uploadb.php?"; fast_pattern; http_uri; content:"name=|22|archivo|22|"; http_client_body; content:".dmp|22|"; http_client_body; distance:0; reference:md5,08881eb702a1525f7792c3fef19ae9ff; classtype:trojan-activity; sid:2018100; rev:2;) Parser failed - skipping rule ^\d content:"0"; |---------------------| Building Rule: 2018101 -------- Hex Payload Start ---------- 6d 79 76 65 72 73 69 6f 6e 7c 20 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018103 Error here within! -------- Hex Payload Start ---------- 55 04 0a 20 0e 54 65 63 53 79 73 74 65 6d 20 4c 74 64 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018104 -------- Hex Payload Start ---------- 5c 5c 2e 5c 4b 4c 49 46 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018105 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018106 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018107 -------- Hex Payload Start ---------- 66 75 6e 63 3d 70 68 6f 74 6f 20 61 6a 61 78 55 70 6c 6f 61 64 41 76 61 74 61 72 20 43 53 74 72 69 6e 67 48 65 6c 70 65 72 65 73 63 61 70 65 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^[^\r\n]*?boundary\s*?=\s*?[^\r\n] content:"boundary=#"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt"; flow:established,to_server; content:"POST"; http_method; content:"multipart/form-data"; http_header; fast_pattern:only; content:"Content-Type|3A|"; nocase; content:"boundary=#"; isdataat:4091,relative; content:!"|0A|"; within:4091; reference:url,blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html; reference:cve,2014-0050; classtype:web-application-attack; sid:2018113; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018114 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 35 6a 69 32 33 35 6a 79 73 72 76 77 66 67 6d 62 05 6f 6e 69 6f 6e 00 --------- Hex Payload End ----------- data_\d{4}_\d{1,2}_\d{1,2}_\d{1,2}_\d{1,2}\.txt content:"data_0000_0_0_0_0.txt"; |---------------------| Building Rule: 2018115 -------- Hex Payload Start ---------- 53 54 4f 52 20 20 2e 74 78 74 20 64 61 74 61 5f 30 30 30 30 5f 30 5f 30 5f 30 5f 30 2e 74 78 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018124 Error here within! -------- Hex Payload Start ---------- 03 00 00 20 20 e0 00 00 00 00 00 20 43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68 3d 6d 69 63 72 6f 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018116 Error here within! -------- Hex Payload Start ---------- 03 00 00 20 20 e0 00 00 00 00 00 20 43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68 3d 65 64 63 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018117 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 59 6f 75 20 67 6f 74 20 73 65 72 76 65 64 21 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018118 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 65 63 6f 6e 2d 6e 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018119 -------- Hex Payload Start ---------- 74 63 70 6f 70 75 6e 64 65 72 20 74 63 70 6f 70 75 6e 64 65 72 --------- Hex Payload End ----------- \/task\/2000$ uricontent:"/task/2000"; |---------------------| Building Rule: 2018120 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linkup Ransomware check-in"; flow:established,to_server; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20; http_uri; content:"token="; http_client_body; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:2018122; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Almanahe.B Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|ClientUpdate|0d 0a|"; fast_pattern:12,14; http_header; content:!"Accept|3a 20|"; content:!"Referer|3a 20|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:trojan-activity; sid:2018123; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018125 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 2e 70 69 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018126 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 01 02 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2e 63 70 6c 20 50 4b 05 06 20 20 20 20 01 00 01 00 --------- Hex Payload End ----------- \/[A-Z]\.xml$ uricontent:"/A.xml"; |---------------------| Building Rule: 2018127 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- ^\/post\/echo$ uricontent:"/post/echo"; |---------------------| Building Rule: 2018128 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ^(?:x(?:86|64)@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} NOT IMPL not _simple(av) in REPEATING CODES content:"0.0.0.0"; |---------------------| Building Rule: 2018129 Error here within! -------- Hex Payload Start ---------- 40 20 30 2e 30 2e 30 2e 30 20 20 4f 53 3a 20 57 69 6e 20 43 50 55 3a 48 7a 2c 52 41 4d 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018130 -------- Hex Payload Start ---------- 85 19 00 00 25 04 00 00 00 00 20 40 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018132 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018133 -------- Hex Payload Start ---------- 47 49 56 45 4d 45 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2018134 -------- Hex Payload Start ---------- 47 45 54 53 45 52 56 45 52 7c --------- Hex Payload End ----------- \/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$ uricontent:"/handler.php?#=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="; |---------------------| Building Rule: 2018135 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018136 -------- Hex Payload Start ---------- 3c 47 65 74 44 65 76 69 63 65 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 3e 20 3c 47 65 74 44 65 76 69 63 65 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 3e 20 3c 4d 6f 64 65 6c 4e 61 6d 65 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Android/FakeKakao checkin"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"md="; http_client_body; content:"&fo="; http_client_body; content:"&ds="; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018137; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&token="; depth:7; http_client_body; content:"&target="; depth:8; http_client_body; content:"&rd="; depth:4; http_client_body; content:"&fo="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"filter.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; content:"POST"; http_method; content:"history.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&ds="; depth:4; http_client_body; content:"&sg="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RDP Brute Force Bot Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cmd.php"; http_uri; content:"User-Agent|3a| Browser|0d 0a|"; http_header; content:"name=|22|data|22|"; http_client_body; content:"{ |22|bad|22 20 3a 20|"; http_client_body; content:", |22|bruting|22 20 3a 20|"; fast_pattern:only; http_client_body; content:", |22|checked|22 20 3a 20|"; http_client_body; reference:md5,c0c1f1a69a1b59c6f2dab18135a73919; reference:md5,e310cf7385ae4d15956e461c6d118c91; reference:md5,d316d208a66248c09986896f671f1db1; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:trojan-activity; sid:2018253; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported ^\/files\/def$ uricontent:"/files/def"; |---------------------| Building Rule: 2018142 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 49 74 0d 0a 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018143 -------- Hex Payload Start ---------- 20 2e 61 73 70 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 50 49 2d 47 75 69 64 65 20 74 65 73 74 20 70 72 6f 67 72 61 6d 0d 0a 20 3a 20 20 --------- Hex Payload End ----------- ^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm) content:"ALnBpZ"; |---------------------| Building Rule: 2018144 Protocol Not Supported ^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\.createElement NOT IMPL Groupref content:" #=0 for(;#<#)document.createElement"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; content:"CollectGarbage"; nocase; fast_pattern:only; content:"var"; content:" #=0 for(;#<#)document.createElement"; classtype:bad-unknown; sid:2018145; rev:4;) Parser failed - skipping rule ^\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,})[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\.createElement content:"(;#<#)document.createElement"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; content:"CollectGarbage"; nocase; fast_pattern:only; content:"for"; content:"(;#<#)document.createElement"; classtype:bad-unknown; sid:2018146; rev:4;) Parser failed - skipping rule ^\s*?=\s*?[^\s]+?\.outerHTML content:"=#.outerHTML"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; content:"onpropertychange"; nocase; fast_pattern:only; content:".outerHTML"; content:"=#.outerHTML"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3;) Parser failed - skipping rule ^.+?\bEMET\.DLL content:"0EMET.DLL"; |---------------------| Building Rule: 2018152 -------- Hex Payload Start ---------- 6c 6f 61 64 58 4d 4c 20 70 61 72 73 65 45 72 72 6f 72 20 72 65 73 3a 2f 41 70 70 50 61 74 63 68 20 30 45 4d 45 54 2e 44 4c 4c 20 45 4d 45 54 2e 44 4c 4c --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&pubid="; http_client_body; distance:0; content:"&mgu="; http_client_body; distance:0; content:"&BundleVersionID="; http_client_body; distance:0; classtype:trojan-activity; sid:2018148; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:trojan-activity; sid:2018149; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported ^.{4}[\x20-\x7e]+?.{4}\x7c\x9c content:"0000 0000|"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:"0000 0000|"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,29aabeba14f6b5950edcd2a5d99acc94; classtype:trojan-activity; sid:2018153; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018154 -------- Hex Payload Start ---------- d0 cd d0 db d4 d8 d0 d9 da d2 dc db d1 da d6 d8 d1 dd da c6 c1 db d4 d8 d0 c2 dc db d1 da c2 c6 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018155 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018156 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018157 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018158 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018159 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018160 -------- Hex Payload Start ---------- 55 74 6f 70 69 61 5f 49 6e 69 74 3a 20 53 55 43 43 45 45 44 45 44 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018161 -------- Hex Payload Start ---------- 6a 61 76 61 66 78 5f 76 65 72 73 69 6f 6e 20 6a 6e 6c 70 5f 68 72 65 66 20 3c 2f 61 70 70 6c 65 74 3e 3c 6f 62 6a 65 63 74 20 64 61 74 61 3a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 73 69 6c 76 65 72 6c 69 67 68 74 2d 32 --------- Hex Payload End ----------- \/1\.txt$ uricontent:"/1.txt"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; uricontent:"/1.txt"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3;) Parser failed - skipping rule ^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"1001011029711710811635867776"; |---------------------| Building Rule: 2018163 -------- Hex Payload Start ---------- 73 74 72 6f 6b 65 3e 20 4c 20 65 76 61 6c 20 33 35 20 31 30 30 31 30 31 31 30 32 39 37 31 31 37 31 30 38 31 31 36 33 35 38 36 37 37 37 36 --------- Hex Payload End ----------- ^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01 NOT IMPL not _simple(av) in REPEATING CODES content:"############0aaaaaa###"; |---------------------| Building Rule: 2018164 -------- Hex Payload Start ---------- 12 0b 01 00 00 01 20 12 0b 01 00 00 01 00 00 00 00 00 00 30 61 61 61 61 61 61 00 00 01 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018165 -------- Hex Payload Start ---------- 47 68 30 73 74 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x7f\x9b content:" 00000000"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28"; flow:to_server,established; dsize:>11; content:"|7f 9b|"; offset:8; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,52849773bc0d08eb9dfcb0df2b7caf33; classtype:trojan-activity; sid:2018166; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018167 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 4d 69 6e 69 20 42 61 63 6b 44 6f 6f 72 00 --------- Hex Payload End ----------- [&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&] uricontent:"&=0;"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:to_server,established; content:"/thumb.php?"; http_uri; nocase; uricontent:"&=0;"; pcre:"/[&?]f=/Ui"; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/Ii"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018170 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 53 44 57 0d 0a 20 48 6f 73 74 3a 20 77 61 74 73 6f 6e 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018172 -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 be 20 67 65 74 43 6c 61 73 73 20 6a 61 76 61 2e 6c 61 6e 67 2e 52 75 6e 74 69 6d 65 20 67 65 74 52 75 6e 74 69 6d 65 20 65 78 65 63 20 73 63 72 69 70 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018175 -------- Hex Payload Start ---------- 75 00 74 00 66 00 38 00 74 00 6f 00 31 00 36 00 20 78 00 78 00 74 00 65 00 61 00 5f 00 64 00 65 00 63 00 72 00 79 00 70 00 74 00 20 62 00 61 00 73 00 65 00 36 00 34 00 64 00 65 00 63 00 6f 00 64 00 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018174 -------- Hex Payload Start ---------- 47 45 54 20 58 2d 4f 53 53 50 72 6f 78 79 3a 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET [8443,9090] (msg:"ET WEB_SPECIFIC_APPS Symantec Endpoint Manager XXE RCE Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/servlet/ConsoleServlet?ActionType=ConsoleLog"; http_uri; content:"Content-Type|3a| text/xml|0d 0a|"; http_client_body; nocase; content:"|3c 21|DOCTYPE"; http_client_body; nocase; content:"http|3a|//127.0.0.1|3a|9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&SequenceNum="; http_client_body; nocase; content:"&Parameter="; http_client_body; nocase; reference:cve,2013-5014; reference:cve,2013-5015; reference:url,cxsecurity.com/issue/WLB-2014020199; classtype:web-application-attack; sid:2018176; rev:3;) Parser failed - skipping rule \/tds\/[a-f0-9]{32}$ uricontent:"/tds/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; uricontent:"/tds/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5;) Parser failed - skipping rule ^[a-f0-9]{32}[\x22\x27] content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa""; |---------------------| Building Rule: 2018178 -------- Hex Payload Start ---------- 3c 66 6f 72 6d 61 63 74 69 6f 6e 2f 74 64 73 2f 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 22 --------- Hex Payload End ----------- ^\s*?\(\s*?key\s*?,\s*?js\s*? content:"(key,js"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern:only; content:"decode"; nocase; content:"(key,js"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9af77f89a565143983fa008bbd8eedee; classtype:trojan-activity; sid:2018181; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018182 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 64 66 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \/p?2p\/[0-9]{1,2}\.exe$ uricontent:"/2p/0.exe"; |---------------------| Building Rule: 2018184 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018185 -------- Hex Payload Start ---------- 50 75 74 54 6f 6b 65 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018186 -------- Hex Payload Start ---------- 54 6f 6b 65 6e 52 65 63 69 76 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018187 -------- Hex Payload Start ---------- 50 75 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 5f 4e 65 77 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018188 -------- Hex Payload Start ---------- 47 65 74 49 6e 66 6f 72 6d 61 74 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018189 Error here within! -------- Hex Payload Start ---------- 03 01 74 80 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\/b\/shoe\/\d+?$ uricontent:"/b/shoe/0"; |---------------------| Building Rule: 2018643 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30"; flow:to_server,established; dsize:>11; content:"|78 5e|"; offset:13; depth:2; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,aa717cce1ccfc766e0c8ad7a217f4be3; classtype:trojan-activity; sid:2018193; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018196 Parser failed - skipping rule |---------------------| Building Rule: 2018197 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \.asp\?MAC=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&VER=[^&]+$ uricontent:".asp?MAC=AA-AA-AA-AA-AA-AA&VER=#"; |---------------------| Building Rule: 2018201 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018202 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018203 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 4c 6f 67 34 4a 20 41 64 6d 69 6e 69 73 74 72 61 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 20 43 68 61 6e 67 65 20 4c 6f 67 20 4c 65 76 65 6c 20 54 6f --------- Hex Payload End ----------- ^\/[b-u][A-Za-z0-9]{6,25}\.php$ uricontent:"/bAAAAAA.php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"v="; http_client_body; depth:2; content:"&c="; http_client_body; fast_pattern; uricontent:"/bAAAAAA.php"; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:trojan-activity; sid:2018204; rev:3;) Parser failed - skipping rule \/log\?(start|install)\x7caid= uricontent:"/log?start|aid="; |---------------------| Building Rule: 2018205 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \.php\?a=(?:dw[a-z0-9]|[hr][2-7])$ uricontent:".php?a="; |---------------------| Building Rule: 2018207 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/?aaa=aaa"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; content:"/?"; fast_pattern; http_uri; depth:2; content:"="; http_uri; distance:3; within:11; uricontent:"/?aaa=aaa"; content:"Keep|2d|Alive|3a|"; http_header; content:"Connection|3a| keep|2d|alive"; http_header; content:"Cache|2d|Control|3a|"; http_header; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/Hm"; content:"Accept|2d|Encoding|3a|"; http_header; threshold: type both, track by_src, count 100, seconds 300; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018209 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018210 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 2e 69 6e 73 74 61 6c 6c 69 71 2e 63 6f 6d 0d 0a 20 2e 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \.exe$ uricontent:".exe"; |---------------------| Building Rule: 2018224 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 4d 53 49 45 20 37 2e 30 3b 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 29 0d 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018223 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- (PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4} NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2018225 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 2e 63 6c 61 73 73 50 4b 20 --------- Hex Payload End ----------- ^.{16}[a-z]{4}\.dll content:"0000000000000000aaaa.dll"; |---------------------| Building Rule: 2018226 Error here within! Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 01 02 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c 20 50 4b 01 02 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 08 00 20 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 61 61 61 61 2e 64 6c 6c 20 50 4b 05 06 20 20 20 20 02 00 02 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \.php\?b=[A-F0-9]{6}&css=[a-z]+$ content:".php?b=AAAAAA&css=a"; |---------------------| Building Rule: 2018227 -------- Hex Payload Start ---------- 20 20 2e 70 68 70 3f 62 3d 41 41 41 41 41 41 26 63 73 73 3d 61 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018229 Error here within! -------- Hex Payload Start ---------- e0 e0 e0 e0 97 89 8e 84 8f 20 20 98 90 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SMSHoax Riskware checkin"; flow:to_server; content:"POST"; http_method; content:"/api.php"; http_uri; content:"YWx0X2FwaV9iYXNlX3Vy"; depth:20; http_client_body; reference:md5,4b779acb1a0e726cee73fc2ca8a6a0be; classtype:trojan-activity; sid:2018230; rev:2;) Parser failed - skipping rule \x2Escr$ uricontent:".scr"; |---------------------| Building Rule: 2018231 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018232 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018233 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 20 0d 0a 0d 0a 50 4b 20 20 20 20 20 20 20 20 20 20 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018234 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 20 0d 0a 0d 0a 50 4b 20 20 20 20 20 20 20 20 20 20 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018235 -------- Hex Payload Start ---------- 23 64 65 66 61 75 6c 74 23 56 4d 4c 20 73 74 72 6f 6b 65 20 25 36 36 25 37 35 25 36 65 25 36 33 25 37 34 25 36 39 25 36 66 25 36 65 20 25 36 36 25 37 32 25 36 66 25 36 64 25 34 33 25 36 38 25 36 31 25 37 32 25 34 33 25 36 66 25 36 34 25 36 35 20 25 36 33 25 36 38 25 36 31 25 37 32 25 34 31 25 37 34 --------- Hex Payload End ----------- ^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27] content:"A""; |---------------------| Building Rule: 2018236 -------- Hex Payload Start ---------- 2f 78 2d 73 69 6c 76 65 72 6c 69 67 68 74 2d 32 61 48 52 30 63 44 6f 76 20 41 22 20 2e 65 6f 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:trojan-activity; sid:2018237; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018238 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018239 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018240 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018243 -------- Hex Payload Start ---------- 3c 21 2d 2d 68 61 76 65 78 68 61 76 65 78 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018244 -------- Hex Payload Start ---------- 3c 6d 65 67 61 20 68 74 74 70 2d 65 71 75 69 76 3d --------- Hex Payload End ----------- file=SenderClient.conf$ uricontent:"file=SenderClient0conf"; |---------------------| Building Rule: 2018245 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018246 -------- Hex Payload Start ---------- 63 6f 75 6e 74 5f 74 68 72 65 61 64 73 09 09 09 3d 09 20 0a 65 66 66 69 63 69 65 6e 63 79 5f 6c 69 6d 69 74 09 09 3d 09 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018247 -------- Hex Payload Start ---------- 20 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Snake rootkit, usermode-centric encrypted command from server"; flow:to_client,established; content:"200"; http_stat_code; content:"|01 00 00 00 00 00 00 00|1dM3uu4j7Fw4sjnb"; fast_pattern:3,20; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018248; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018249 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 72 6f 77 73 65 72 --------- Hex Payload End ----------- \.exe\?\d{5,}$ uricontent:".exe?00000"; |---------------------| Building Rule: 2018250 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 72 6f 77 73 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&) uricontent:".php?user=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&id=0&type=0"; |---------------------| Building Rule: 2018255 -------- Hex Payload Start ---------- 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018256 Error here within! Error here within! Error here within! -------- Hex Payload Start ---------- 55 04 03 20 0a 2a 2e 63 69 74 79 2e 63 6f 6d 20 55 04 07 20 06 43 69 74 69 65 73 20 55 04 0a 20 0a 53 74 61 74 65 20 43 6f 72 70 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\/1[34]\d{8}\.pdf$ uricontent:"/1300000000.pdf"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF URI Struct March 12 2014"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; uricontent:"/1300000000.pdf"; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018258; rev:10;) Parser failed - skipping rule ^\/1[34]\d{8}\.htm$ uricontent:"/1300000000.htm"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; uricontent:"/1300000000.htm"; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018259; rev:10;) Parser failed - skipping rule ^\d+r\d+o\d+m\d content:"0r0o0m0"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; content:"0r0o0m0"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018261; rev:3;) Parser failed - skipping rule ^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"0r0o0m0C0h0a0r0c0o0d0e0""; |---------------------| Building Rule: 2018262 -------- Hex Payload Start ---------- 23 64 65 66 61 75 6c 74 23 56 4d 4c 20 73 74 72 6f 6b 65 20 76 69 73 69 62 69 6c 69 74 79 68 69 64 64 65 6e 20 22 66 20 30 72 30 6f 30 6d 30 43 30 68 30 61 30 72 30 63 30 6f 30 64 30 65 30 22 --------- Hex Payload End ----------- (?:\.\.\/)+kboxwww\/tmp\/ NOT IMPL not _simple(av) in REPEATING CODES content:"kboxwww/tmp/"; Unsupported keyword! Error parsing rule contents alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; content:"kboxwww/tmp/"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2;) Parser failed - skipping rule ^[0-9a-f]{22,46} content:"0000000000000000000000"; Unsupported keyword! Error parsing rule contents alert tcp any any -> any $SSH_PORTS (msg:"ET TROJAN Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; content:"0000000000000000000000"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: 2018265 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 76 71 76 73 61 65 72 67 65 6b 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018266 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 62 63 67 6d 6d 79 6d 70 6d 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018267 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 6a 6d 78 6b 6f 77 7a 6f 65 6e 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018268 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 79 69 78 66 68 73 66 61 78 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018269 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 71 67 6a 68 6d 65 72 6a 65 63 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018270 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 6e 6a 64 79 71 72 62 69 6f 68 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018271 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 62 74 6c 6f 78 63 79 72 6f 6b 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018272 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 61 66 77 79 68 76 69 6e 6d 77 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018273 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 77 79 66 78 61 6e 78 6a 65 75 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018274 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 71 65 6d 79 78 73 64 69 67 69 04 69 6e 66 6f 00 --------- Hex Payload End ----------- ^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01 content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0a0a#####"; |---------------------| Building Rule: 2018275 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 00 00 00 38 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 30 61 30 61 00 00 01 00 01 --------- Hex Payload End ----------- ^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01 content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0a0a#####"; |---------------------| Building Rule: 2018276 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 00 00 00 38 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 30 61 30 61 00 00 01 00 01 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; content:"pingback.ping"; nocase; http_client_body; fast_pattern; threshold:type both, track by_src, count 5, seconds 90; classtype:attempted-dos; sid:2018277; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018279 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 74 47 6f 78 42 61 63 6b 4f 66 66 69 63 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isnotset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:set,ET.Netwire.HB.1; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018282 -------- Hex Payload Start ---------- 01 00 00 00 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018283 -------- Hex Payload Start ---------- 01 00 00 00 01 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BKDR_SLOTH.A Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:10; content:"/help.html"; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.0)"; http_header; reference:md5,185e930a19ad1a99c226d59ef563e28c; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/; reference:url,fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html; classtype:trojan-activity; sid:2018285; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018284 -------- Hex Payload Start ---------- 55 04 0a 13 02 58 58 55 04 0a 13 02 58 58 --------- Hex Payload End ----------- ^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22 NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"0.__$+.___+.$_$+"\\"+.__$+.__$+.$_$+"\\"+.__$+.___+.$_$+"\\"+.__$+._$_+.$__+".\\"+.__$+.___+.$__+"\\"+.__$+.__$+.$__+"\\"+.__$+.__$+.$__+""; |---------------------| Building Rule: 2018286 -------- Hex Payload Start ---------- 22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22 2b 20 30 2e 5f 5f 24 2b 2e 5f 5f 5f 2b 2e 24 5f 24 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 5f 5f 24 2b 2e 24 5f 24 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 5f 5f 5f 2b 2e 24 5f 24 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 5f 24 5f 2b 2e 24 5f 5f 2b 22 2e 5c 5c 22 2b 2e 5f 5f 24 2b 2e 5f 5f 5f 2b 2e 24 5f 5f 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 5f 5f 24 2b 2e 24 5f 5f 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 5f 5f 24 2b 2e 24 5f 5f 2b 22 --------- Hex Payload End ----------- ^.{4}[\x20-\x7e]+?.{4}\x7d\x94 content:"0000 0000}"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; content:"0000 0000}"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:trojan-activity; sid:2018287; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018288 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- id\=[^\r\n]*?(?:select|delete|union|update|insert) uricontent:"id="; |---------------------| Building Rule: 2018289 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018290 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 43 46 4d 20 73 68 65 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2018291 -------- Hex Payload Start ---------- 2f 50 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN MultiThreat/Winspy.RAT Keep-Alive Server Response"; flow:established,from_server; dsize:2; content:"/P"; depth:2; flowbits:isset,WinSpy.KeepAlive; threshold:type limit,count 2,track by_src,seconds 300; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018292; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2018293 -------- Hex Payload Start ---------- 58 2d 4d 61 69 6c 65 72 3a 20 53 79 73 4d 6f 6e 20 76 31 2e 30 2e 30 --------- Hex Payload End ----------- ^(?:(?:PCACTIV|ONLIN)ETIME|WEBSITE[DS]|CHATROOM|KEYLOGS) content:""; |---------------------| Building Rule: 2018294 -------- Hex Payload Start ---------- 2f 43 44 20 5c 5c 5c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- \/windows$ uricontent:"/windows"; |---------------------| Building Rule: 2018295 Error here depth! -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 4d 53 49 45 20 20 74 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 6f 73 74 3a 20 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018307 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018297 -------- Hex Payload Start ---------- 0d 0a 0d 0a 89 b4 f4 6a 24 1f 46 14 --------- Hex Payload End ----------- ^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10} content:"="#=aaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Mar 20 2014"; flow:established,from_server; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; content:"="#=aaaaaaaaaa"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:trojan-activity; sid:2018298; rev:4;) Parser failed - skipping rule ^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\] NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"#=0;<000;++){#[]=document.createElement("div")#[]"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; content:"createElement(|22|div|22|)"; fast_pattern:only; content:"for("; content:"#=0;<000;++){#[]=document.createElement("div")#[]"; classtype:trojan-activity; sid:2018299; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018302 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 4d 69 72 72 6f 72 65 64 20 66 72 6f 6d 20 62 79 20 48 54 54 72 61 63 6b 20 57 65 62 73 69 74 65 20 43 6f 70 69 65 72 2f 20 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2018303 -------- Hex Payload Start ---------- 3c 54 49 54 4c 45 3e 69 54 75 6e 65 73 20 43 6f 6e 6e 65 63 74 3c 2f 54 49 54 4c 45 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH iTunes - Creds Phished"; flow:established,to_server; content:"theAccountName="; http_client_body; content:"theAccountPW="; http_client_body; classtype:trojan-activity; sid:2018304; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH iTunes - PII Phished"; flow:established,to_server; content:"fname="; http_client_body; content:"lname="; http_client_body; content:"hnum="; http_client_body; content:"snam="; http_client_body; classtype:trojan-activity; sid:2018305; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018306 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 61 6c 76 69 6b 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018313 -------- Hex Payload Start ---------- 7b 5c 72 74 7b 5c 6f 62 6a 6f 63 78 5c 20 4d 53 43 6f 6d 63 74 6c 4c 69 62 2e 20 5c 75 2d 35 35 34 5c 75 2d 35 35 34 5c 75 2d 35 35 34 20 5c 75 2d 35 35 34 5c 75 2d 35 35 34 5c 75 2d 35 35 34 5c 75 2d 35 35 34 5c 75 2d 35 35 34 --------- Hex Payload End ----------- ^\s* content:""; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; content:""; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:8;) Parser failed - skipping rule ^\s* content:""; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; content:""; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:7;) Parser failed - skipping rule ^\s* content:""; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; content:""; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:5;) Parser failed - skipping rule ^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5} NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2018310 -------- Hex Payload Start ---------- 78 31 4c 54 55 31 4e 20 --------- Hex Payload End ----------- ^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7} NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2018311 -------- Hex Payload Start ---------- 58 48 55 74 4e 54 55 30 20 --------- Hex Payload End ----------- ^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7} NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2018312 -------- Hex Payload Start ---------- 63 64 53 30 31 4e 54 20 --------- Hex Payload End ----------- ^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01 content:"00 aaaaaaaaaaaaa#####"; type both, track by_dst, count 12, seconds 120 |---------------------| Building Rule: 2018316 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 30 30 0d 61 61 61 61 61 61 61 61 61 61 61 61 61 00 00 01 00 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018317 -------- Hex Payload Start ---------- 4f 50 54 49 4f 4e 53 20 73 69 70 3a 6e 6d 20 53 49 50 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2018318 -------- Hex Payload Start ---------- 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 43 50 20 6e 6d 20 46 72 6f 6d 3a 20 3c 73 69 70 3a 6e 6d 40 6e 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018319 -------- Hex Payload Start ---------- 12 74 72 75 64 65 61 75 73 6f 63 69 65 74 79 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018320 -------- Hex Payload Start ---------- 2f 70 61 67 65 5f 20 43 6f 6f 6b 69 65 3a 20 58 58 3d 30 3b 20 42 58 3d 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018321 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 73 20 4e 54 20 35 2e 30 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018322 -------- Hex Payload Start ---------- 55 04 03 20 0b 4d 6f 6a 6f 6c 69 63 69 6f 75 73 55 04 0a 20 0b 4d 6f 6a 6f 6c 69 63 69 6f 75 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018323 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Slv="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&admin="; http_client_body; content:"&browser="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltUser="; http_client_body; content:"&ver="; http_client_body; content:"&ts="; http_client_body; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:trojan-activity; sid:2018324; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018325 -------- Hex Payload Start ---------- 20 00 00 00 20 00 7c 00 20 00 7c 00 20 00 7c 00 20 00 7c 00 20 00 7c 00 20 00 7c 00 30 00 7c 00 32 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JCE Joomla Extension"; flow:to_server,established; content:".php"; http_uri; content:"option="; http_uri; content:"&task="; http_uri; content:"&plugin=imgmanager"; http_uri; content:"&file="; http_uri; content:"&version="; http_uri; content:"&cid="; http_uri; content:"folderRename"; fast_pattern:only; http_client_body; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:web-application-attack; sid:2018326; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018329 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon"; flow:established,to_server; urilen:9; content:"POST"; http_method; content:"/install/"; http_uri; content:"q="; http_client_body; depth:2; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:trojan-activity; sid:2018331; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018332 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 69 6e 33 32 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018333 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 7a 7a 5f 61 66 69 --------- Hex Payload End ----------- ^\s*?\d+?\s*?\)https\x3a\x2f content:"0)https:/"; |---------------------| Building Rule: 2018334 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 73 61 76 65 64 20 66 72 6f 6d 20 75 72 6c 3d 28 20 30 29 68 74 74 70 73 3a 2f 3c 66 6f 72 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018336 -------- Hex Payload Start ---------- 58 2d 4d 61 69 6c 65 72 3a 20 58 69 6d 69 61 6e 45 76 6f 6c 75 74 69 6f 6e 31 2e 34 2e 36 20 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 2e 20 2d --------- Hex Payload End ----------- ^[^\d]{1,20}100[^\d]{1,20}101[^\d]{1,20}102[^\d]{1,20}97[^\d]{1,20}117[^\d]{1,20}108[^\d]{1,20}116[^\d]{1,20}35[^\d]{1,20}86[^\d]{1,20}77[^\d]{1,20}76 content:"#100#101#102#97#117#108#116#35#86#77#76"; |---------------------| Building Rule: 2018337 -------- Hex Payload Start ---------- 2e 74 65 78 74 2b 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 20 33 35 20 00 31 30 30 00 31 30 31 00 31 30 32 00 39 37 00 31 31 37 00 31 30 38 00 31 31 36 00 33 35 00 38 36 00 37 37 00 37 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018338 -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018339 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- ^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d] NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"#100#101#102#97#117#108#116#35#86#77#76#"; |---------------------| Building Rule: 2018342 -------- Hex Payload Start ---------- 31 31 37 20 31 30 38 20 31 31 36 20 33 35 20 00 31 30 30 00 31 30 31 00 31 30 32 00 39 37 00 31 31 37 00 31 30 38 00 31 31 36 00 33 35 00 38 36 00 37 37 00 37 36 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018343 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018344 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 62 61 6c 6c 73 61 63 6b 20 2e 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018345 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 77 69 6e 33 32 --------- Hex Payload End ----------- ^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10} NOT IMPL not _simple(av) in REPEATING CODES content:"(){return"aaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; content:"(){return"aaaaaaaaaa"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:trojan-activity; sid:2018346; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018348 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018350 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 1a 77 77 77 2e 70 6f 74 70 6f 75 72 72 69 66 6c 6f 77 65 72 73 2e 63 6f 2e 75 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2018351 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 0a 6b 69 6f 6e 69 63 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018352 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018355 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6c 61 63 6b 42 65 72 72 79 39 30 30 30 2f 35 2e 30 2e 30 2e 39 33 20 50 72 6f 66 69 6c 65 2f 4d 49 44 50 2d 32 2e 30 20 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2f 43 4c 44 43 2d 32 2e 31 20 56 65 6e 64 6f 72 49 44 2f 38 33 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018356 -------- Hex Payload Start ---------- 3c 68 74 6d 6c 3e 6b 65 6e 6a 69 20 6f 6b 65 3c 2f 68 74 6d 6c 3e 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018357 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \/13[89]\d{7}.swf$ uricontent:"/13800000000swf"; |---------------------| Building Rule: 2018360 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \/14\d{8}(?:\.swf)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/1400000000"; |---------------------| Building Rule: 2018361 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*? content:"<</A(A)"; |---------------------| Building Rule: 2018363 -------- Hex Payload Start ---------- 31 33 20 30 20 6f 62 6a 20 3c 3c 2f 41 28 41 29 20 2f 58 46 41 5b 28 63 6f 6e 66 69 67 29 31 37 20 30 20 52 5d 20 2f 46 69 65 6c 64 73 20 5b 31 34 20 30 20 52 5d 0d 0a 3e 3e --------- Hex Payload End ----------- ^\d{1,2} content:"0"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; content:"|55 04 03|"; byte_test:1,>,11,1,relative; byte_test:1,<,14,1,relative; content:"ssl"; distance:2; within:3; content:"0"; content:".ovh.net"; within:8; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018366 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 6d 72 62 61 73 69 63 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018367 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e --------- Hex Payload End ----------- ^\/[a-z]{2}\x3Fv\x3D[0-9]$ uricontent:"/aa?v=0"; |---------------------| Building Rule: 2018368 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 74 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018369 -------- Hex Payload Start ---------- 53 69 6c 65 6e 74 7a 27 73 20 54 72 69 63 6b 73 3a 20 61 63 74 69 6f 6e 3d 63 6d 64 32 20 53 74 61 72 74 20 4e 43 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018370 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018371 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 7a 65 68 69 72 33 2d 2d 3e 20 70 6f 77 65 72 65 64 20 62 79 20 7a 65 68 69 72 20 53 69 73 74 65 6d 20 42 69 6c 67 69 6c 65 72 69 20 63 6f 6c 6f 72 3d 72 65 64 3e 4c 6f 63 61 6c 20 41 64 72 65 73 3c 2f 74 64 20 7a 65 68 69 72 68 61 63 6b 65 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET !$HTTP_PORTS -> any any (msg:"ET CURRENT_EVENTS Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Request.SI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018375; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.SI; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Response.SI; flowbits:unset,ET.HB.Request.SI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018378; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2018381 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 68 69 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_dst,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018382; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported ^\x2F2p\x2F[a-z]{1,2}\.exe$ uricontent:"/2p/a.exe"; |---------------------| Building Rule: 2018385 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^[\x2d]+(?P<boundry>[0-9]+)\r\n.+filename\x3d[\x22\x27](?P=boundry)[\x22\x27] NOT IMPL Groupref content:"-0 0filename="""; |---------------------| Building Rule: Protocol Not Supported ^\W content:""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; content:""; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018390 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 55 60 67 6c 69 70 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018392 -------- Hex Payload Start ---------- 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 5b 56 65 72 73 69 6f 6e 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 39 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018393 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 0d 0a 0d 0a 63 72 79 70 74 3d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\/[mp]od[12]\/[^\/]+?\.exe$ uricontent:"/mod1/#.exe"; |---------------------| Building Rule: 2018395 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 2e 20 48 6f 73 74 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018396 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 0f 2a 2e 62 72 6f 77 73 65 74 6f 72 2e 63 6f 6d --------- Hex Payload End ----------- ^[^\x00]+?\x00 content:"##"; |---------------------| Building Rule: 2018397 -------- Hex Payload Start ---------- 10 72 6a 32 62 6f 63 65 6a 61 72 71 6e 70 75 68 6d 20 01 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018399 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 20 6b 70 68 69 6a 6d 75 6f 32 78 35 65 78 70 61 67 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \/[\x2f\x2bA-Za-z0-9]{59}AAA==$ uricontent:"////////////////////////////////////////////////////////////AAA=="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Kazy Checkin"; flow:established,to_server; content:"AAA=="; http_uri; fast_pattern:only; urilen:65; uricontent:"////////////////////////////////////////////////////////////AAA=="; classtype:trojan-activity; sid:2018401; rev:2;) Parser failed - skipping rule \/\d{2,}\.xap$ uricontent:"/00.xap"; |---------------------| Building Rule: 2018402 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \.exe$ uricontent:".exe"; |---------------------| Building Rule: 2018403 -------- Hex Payload Start ---------- 20 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 43 6c 6f 73 65 0d 0a 20 20 4d 53 49 45 20 20 3a 20 3a 20 2e 20 2e 20 2e 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018404 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 68 65 6c 6c 6f 20 63 72 61 7a 79 6b --------- Hex Payload End ----------- |---------------------| Building Rule: 2018405 -------- Hex Payload Start ---------- 6c 61 64 79 38 76 68 63 20 65 76 61 6c 28 66 75 6e 63 74 69 6f 6e 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018406 -------- Hex Payload Start ---------- 10 67 72 61 6d 73 37 65 6e 75 66 69 37 6a 6d 64 6c --------- Hex Payload End ----------- ^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/#/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018407 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018408 -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 25 50 44 46 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018409 -------- Hex Payload Start ---------- 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2018410 -------- Hex Payload Start ---------- 0d 0a 0d 0a 5a 57 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018411 -------- Hex Payload Start ---------- 0d 0a 0d 0a 43 57 53 --------- Hex Payload End ----------- ^\/1+$ uricontent:"/1"; |---------------------| Building Rule: 2018413 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 2e 20 20 4d 53 49 45 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:trojan-activity; sid:2018415; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018416 -------- Hex Payload Start ---------- 53 54 4f 52 20 66 74 70 63 68 6b 33 2e 70 68 70 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018417 -------- Hex Payload Start ---------- 0d 0a 31 35 30 20 66 74 70 63 68 6b 33 2e 70 68 70 0d 0a 32 32 36 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018418 -------- Hex Payload Start ---------- 16 03 01 16 03 01 52 14 cb 90 12 69 6e 66 6f 40 70 61 72 61 6c 6c 65 6c 73 2e 63 6f 6d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"User-Agent|3A| Opera/9.25 (Windows NT 6.0|3B| U|3B|"; http_header; fast_pattern:12,20; content:"Host|3A| windowsupdate.microsoft.com"; http_header; content:"Connection|3A| Close"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; reference:md5,aa696180cd0369e264ed8e9137a4f254; classtype:trojan-activity; sid:2018419; rev:6;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN hacker87 checkin"; flow:to_server,established; content:"POST"; http_method; content:"/AppEn.php"; fast_pattern:only; http_uri; content:"parameter="; depth:10; http_client_body; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:trojan-activity; sid:2018420; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"SV2|0d 0a|"; http_header; content:"valor="; depth:6; http_client_body; content:"verde"; http_client_body; content:"branco"; http_client_body; content:"vermelho"; fast_pattern:only; http_client_body; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:trojan-activity; sid:2018516; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018422 Parser failed - skipping rule |---------------------| Building Rule: 2018423 -------- Hex Payload Start ---------- 0d 0a 0d 0a 3c 62 61 73 65 3e 50 47 4e 74 5a 44 --------- Hex Payload End ----------- ^\/post\.aspx\?[^&]+=[0-9]{9,10}$ uricontent:"/post.aspx?#=000000000"; |---------------------| Building Rule: 2018425 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018426 -------- Hex Payload Start ---------- 41 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018427 -------- Hex Payload Start ---------- 41 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018428 -------- Hex Payload Start ---------- 43 72 79 73 74 61 6c 6c 69 7a 65 20 2d 66 69 6c 74 65 72 41 41 41 41 --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2018430 -------- Hex Payload Start ---------- 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 20 0d 0a 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a 0d 0a 00 --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2018431 Error here within! -------- Hex Payload Start ---------- 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 20 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a 0d 0a --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2018432 Error here within! -------- Hex Payload Start ---------- 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 20 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 0d 0a 0d 0a --------- Hex Payload End ----------- type limit, count 1, seconds 300, track by_src |---------------------| Building Rule: 2018433 Error here within! -------- Hex Payload Start ---------- 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 20 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 0d 0a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018434 -------- Hex Payload Start ---------- 20 20 48 6f 73 74 3a 20 77 61 74 73 6f 6e 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018435 -------- Hex Payload Start ---------- 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f --------- Hex Payload End ----------- ^\s*?\( content:"("; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; content:"("; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018436 -------- Hex Payload Start ---------- 20 20 48 6f 73 74 3a 20 77 61 74 73 6f 6e 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018438 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 74 75 6e 10 76 70 6e 6f 76 65 72 64 6e 73 03 63 6f 6d 00 --------- Hex Payload End ----------- ^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:"0*/#(#);(#);"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; content:"#default#VML"; nocase; fast_pattern:only; content:"/*"; content:"0*/#(#);(#);"; classtype:trojan-activity; sid:2018440; rev:5;) Parser failed - skipping rule \.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)& uricontent:".php?req=&"; |---------------------| Building Rule: 2018441 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php?q=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018442 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/check_value.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"identifiant="; http_client_body; depth:12; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:trojan-activity; sid:2018443; rev:2;) Parser failed - skipping rule \x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=) NOT IMPL not _simple(av) in REPEATING CODES content:"<value=""; |---------------------| Building Rule: 2018447 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 3c 70 61 72 61 6d 3c 76 61 6c 75 65 3d 20 3c 76 61 6c 75 65 3d 22 --------- Hex Payload End ----------- ^\/j\/[a-f0-9]{8}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{12}\/0001\/?$ uricontent:"/j/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/0001"; |---------------------| Building Rule: 2018448 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018449 -------- Hex Payload Start ---------- 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 39 70 31 20 44 65 62 69 61 6e 2d 35 75 62 75 6e 74 75 31 2e 31 --------- Hex Payload End ----------- ^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?= NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"aaaaaa"> <script>a="; |---------------------| Building Rule: Protocol Not Supported [\/=][a-z0-9]{8,}$ uricontent:"/aaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall Check-in"; flow:established,to_server; urilen:<134; content:!"|0d 0a|Accept-"; nocase; http_header; uricontent:"/aaaaaaaa"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" MSIE "; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:13;) Parser failed - skipping rule \/p?2p\/[a-z]{3}$ uricontent:"/2p/aaa"; |---------------------| Building Rule: 2018453 -------- Hex Payload Start ---------- 20 2e 20 3a --------- Hex Payload End ----------- ^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$ uricontent:"/assets/js/jquery-0.0.0.min.js?ver=0.0.0"; |---------------------| Building Rule: 2018454 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018456 -------- Hex Payload Start ---------- 50 4f 53 54 20 2e 20 74 20 3a 20 50 72 61 67 6d 61 3a 20 31 33 33 37 0d 0a --------- Hex Payload End ----------- ^.{2}(?P<fake_loc>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc) NOT IMPL Groupref content:"00a00##U##00"; |---------------------| Building Rule: 2018457 -------- Hex Payload Start ---------- 06 03 55 04 07 20 30 30 61 30 30 06 03 55 04 07 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018458 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 44 4c 2f 31 2e 32 20 28 4d 6f 7a 69 6c 6c 61 29 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; content:"|0d 0a 0d 0a|<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018460 -------- Hex Payload Start ---------- 55 04 03 20 0c 69 63 6c 61 73 73 68 64 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018461 -------- Hex Payload Start ---------- 55 04 03 20 13 77 77 77 2e 73 61 62 7a 65 76 61 72 73 65 7a 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018463 -------- Hex Payload Start ---------- 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 3b 29 0d 0a 48 6f 73 74 3a 20 3a 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:5;) Parser failed - skipping rule ^[a-z0-9_-]*?\.class content:".class"; |---------------------| Building Rule: 2018465 -------- Hex Payload Start ---------- 41 64 77 69 6e 20 2e 63 6c 61 73 73 --------- Hex Payload End ----------- ^[a-z0-9_-]*?\.class content:".class"; |---------------------| Building Rule: 2018466 -------- Hex Payload Start ---------- 55 6e 72 65 63 6f 6d 20 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018467 -------- Hex Payload Start ---------- c3 b8 ba ab a0 bc b0 b1 c1 7c 20 7c 4e 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2018468 -------- Hex Payload Start ---------- 7c 44 49 52 23 30 23 62 69 6e 7c 44 49 52 23 30 --------- Hex Payload End ----------- ^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20 NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"756e6374696f6e20"; |---------------------| Building Rule: 2018469 -------- Hex Payload Start ---------- 23 64 65 66 61 75 6c 74 23 56 4d 4c 20 3a 73 74 72 6f 6b 65 20 3a 6f 76 61 6c 20 36 36 20 37 35 36 65 36 33 37 34 36 39 36 66 36 65 32 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018470 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018471 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[\x22\x27] content:"""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; content:"javarhino"; fast_pattern; nocase; content:"""; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:trojan-activity; sid:2018472; rev:3;) Parser failed - skipping rule ^\x2Fel\x2Fsregister\x2Ephp\x3Fname\x3D[a-f0-9]{32}$ uricontent:"/el/sregister.php?name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018474 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\x2Fel\x2Fslogin\x2Ephp\x3Fuid\x3D[a-f0-9]{32}$ uricontent:"/el/slogin.php?uid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018475 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018477 Error here within! -------- Hex Payload Start ---------- 02 00 06 20 20 20 20 01 bb --------- Hex Payload End ----------- |---------------------| Building Rule: 2018478 -------- Hex Payload Start ---------- 03 00 30 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern:only; content:"|0B 00|"; depth:2; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018479; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2018480 -------- Hex Payload Start ---------- 55 04 03 20 0c 64 66 73 64 69 72 65 63 74 2e 63 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018482 -------- Hex Payload Start ---------- 55 53 45 52 20 61 73 73 20 6c 6f 63 61 6c 68 6f 73 74 20 6c 6f 63 61 6c 68 6f 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018483 -------- Hex Payload Start ---------- 50 41 53 53 20 65 59 6d 55 72 6d 79 41 66 47 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018484 -------- Hex Payload Start ---------- 3a 48 65 6c 6c 2e 4e 65 74 77 6f 72 6b 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity; sid:2018485; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33"; flow:to_server,established; dsize:>11; content:"|70 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2acd1b235e12dc9b961e7236f6db8144; classtype:trojan-activity; sid:2018486; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34"; flow:to_server,established; dsize:>11; content:"|74 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3063e7406947d00b792cb013ca667a69; classtype:trojan-activity; sid:2018487; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35"; flow:to_server,established; dsize:>11; content:"|7e 95|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,17274afd768cd0cbc2aa236cf82ab951; classtype:trojan-activity; sid:2018488; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018631 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018489 Error here depth! Error here within! -------- Hex Payload Start ---------- 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 20 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 20 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 --------- Hex Payload End ----------- name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22 content:"name=".gadget""; |---------------------| Building Rule: 2018490 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 3b 20 20 20 20 20 20 20 2e 67 61 64 67 65 74 22 20 6e 61 6d 65 3d 22 2e 67 61 64 67 65 74 22 --------- Hex Payload End ----------- ^\/[^\x2f]+?\/create\.php\?[a-z0-9]+\x3d[a-z0-9\x5f\x2d]+?$ uricontent:"/#/create.php?a=a"; |---------------------| Building Rule: 2018491 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018492 -------- Hex Payload Start ---------- 11 77 77 77 2e 6d 79 70 61 72 61 64 69 73 2e 63 6f 6d --------- Hex Payload End ----------- ^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$ uricontent:"/00x00/a.php?aa=0"; |---------------------| Building Rule: 2018493 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018494 Protocol Not Supported |---------------------| Building Rule: 2018495 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/[a-f0-9]{7,8}\/[a-f0-9]{7,8}\/$ uricontent:"/aaaaaaa/aaaaaaa/"; |---------------------| Building Rule: 2018496 Error here depth! Error here depth! -------- Hex Payload Start ---------- 2e 20 20 4d 53 49 45 20 20 50 4f 53 54 20 20 20 20 2e --------- Hex Payload End ----------- [&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)= uricontent:"&v_=0&v_=0&v_=0&v_=0&v_=0&v_="; |---------------------| Building Rule: 2018920 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018498 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 66 6f 74 6f 73 61 73 74 65 72 2e 64 6c 6c 20 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2018499 -------- Hex Payload Start ---------- 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 3c 69 6e 74 65 72 76 61 6c 3e 3c 2f 69 6e 74 65 72 76 61 6c 3e 3c 74 69 6d 65 6f 75 74 3e 3c 2f 74 69 6d 65 6f 75 74 3e 20 d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20 63 26 63 20 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018500 -------- Hex Payload Start ---------- 50 61 79 6c 6f 61 64 58 2e 63 6c 61 73 73 --------- Hex Payload End ----------- ^\s*?=\s*?window\.document\.createElement content:"=window.document.createElement"; |---------------------| Building Rule: 2018501 -------- Hex Payload Start ---------- 66 64 73 61 77 5b 66 77 65 67 67 5d 20 3d 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018502 -------- Hex Payload Start ---------- 7b 76 61 72 20 62 6d 77 3d 5b 32 36 33 2c 32 37 35 2c 32 37 35 2c 32 37 31 2c 32 31 37 2c 32 30 36 2c 32 30 36 2c 32 36 32 2c 32 35 36 2c 32 37 34 2c 32 36 39 2c 32 36 30 2c 32 37 34 2c 32 30 35 2c 32 35 38 2c 32 37 30 2c 32 36 38 2c 32 31 37 2c 32 31 35 2c 32 30 37 2c 32 31 30 2c 32 30 36 2c 32 30 37 2c 32 30 37 2c 32 30 38 2c 32 30 35 2c 32 36 30 2c 32 37 39 2c 31 35 39 2c 32 36 30 5d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018503 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 28 2f 2a 6a 73 63 6b 76 69 70 2a 2f 70 2c 2f 2a 6a 73 63 6b 76 69 70 2a 2f 61 2c 2f 2a 6a 73 63 6b 76 69 70 2a 2f 63 2c 6b 2c 2f 2a 6a 73 63 6b 76 69 70 2a 2f 65 2c 2f 2a 6a 73 63 6b 76 69 70 2a 2f 64 2f 2a 6a 73 63 6b 76 69 70 2a 2f 29 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Zeus.BitcoinMiner Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"sysin="; fast_pattern; depth:6; http_client_body; content:"?user="; http_uri; nocase; content:"&type="; http_uri; nocase; content:"&id="; http_uri; nocase; content:!"Referer|3A|"; http_header; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/05/16/zeuscoiner-detection-zeus-variant-engages-in-bitcoining; classtype:trojan-activity; sid:2018504; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018506 -------- Hex Payload Start ---------- 55 04 03 20 0c 68 6f 74 2d 62 75 79 73 2e 6f 72 67 --------- Hex Payload End ----------- \.php\?m=[A-F0-9]{12} uricontent:".php?m=AAAAAAAAAAAA"; |---------------------| Building Rule: 2018507 Error here depth! -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 43 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 29 0d 0a 48 6f 73 74 3a 20 2e 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018509 -------- Hex Payload Start ---------- 0d 0a 0d 0a 3a 0e a6 51 77 79 53 59 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018510 -------- Hex Payload Start ---------- 0d 0a 0d 0a 2c 3e c2 32 61 34 6e 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018511 Parser failed - skipping rule ^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$ uricontent:"/?s1=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018512 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/DownloadGuide.A"; flow:established, to_server; content:"POST"; http_method; content:"/1/dg/3"; http_uri; fast_pattern; content:"Content-Type|3a| application/json"; http_header; content:!"Referer|3a|"; http_header; content:"{|22|BuildId|22 3a|"; http_client_body; content:"|22|Campaign|22|"; http_client_body; content: "|22|TrackBackUrl|22|"; http_client_body; reference:md5,37b91123a58a48975770241445392aeb; classtype:trojan-activity; sid:2018513; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018514 -------- Hex Payload Start ---------- 73 2e 73 72 63 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 73 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2018515 -------- Hex Payload Start ---------- 0c 73 74 61 74 73 77 61 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018517 Error here within! -------- Hex Payload Start ---------- 00 01 00 01 20 20 20 20 00 04 8e 00 24 ea --------- Hex Payload End ----------- |---------------------| Building Rule: 2018519 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 72 6f 6d 65 30 33 32 31 0d 0a --------- Hex Payload End ----------- ^\d{10,20}&imsi=\d{10,15}&device_name= uricontent:"0000000000&imsi=0000000000&device_name="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content: "device_id="; http_uri; uricontent:"0000000000&imsi=0000000000&device_name="; content:"&app_id="; http_uri; pcre:"/^[a-f0-9]{30,35}&app_package_name=/URi"; content: "screen_density="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (default)"; flow:established,to_server; content:".php"; http_uri; content:"User-Agent|3a 20|default|0d 0a|"; http_header; fast_pattern:1,20; content:"mode="; depth:5; http_client_body; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018522; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018523 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 72 68 79 6e 6f 33 32 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018524 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 42 54 43 4d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018525 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 6c 61 79 65 72 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018526 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 75 6c 74 75 72 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018527 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 48 49 62 6f 74 2f 31 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018528 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 78 65 68 61 6e 6f 72 74 33 32 31 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018529 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 09 0d 0a --------- Hex Payload End ----------- ^\/getc(?:loud|onf)\/\?c= uricontent:"/getc/?c="; |---------------------| Building Rule: 2018530 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018532 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 7a 7a 69 6d 61 2d 6e 6c 6f 61 64 65 72 2f 20 31 2e 30 2e 33 2e 31 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018533 Error here depth! -------- Hex Payload Start ---------- 2f 66 65 6e 67 6d 69 61 6e 2f 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 6d 65 69 6e 76 36 2e 34 2e 30 20 71 69 75 20 73 68 6f 75 20 67 6f 75 2c 20 7a 68 69 20 6d 61 69 20 35 30 33 20 77 61 6e 20 72 65 6e 20 6d 69 6e 20 62 69 0d 0a 20 3a --------- Hex Payload End ----------- \/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/3//aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018534 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018535 -------- Hex Payload Start ---------- 6c 72 74 43 66 64 50 2e 46 44 50 2c 46 44 50 2e 46 44 50 6f 72 63 41 20 72 65 76 65 72 73 65 --------- Hex Payload End ----------- \/3\/[a-f0-9]{32}\/http\x3a\x2f uricontent:"/3/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/http:/"; |---------------------| Building Rule: 2018536 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018538 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 20 2a 2e 74 6f 72 32 77 77 77 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018539 -------- Hex Payload Start ---------- 55 04 03 74 6f 72 65 78 70 6c 6f 72 65 72 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018540 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018541 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 58 2d 53 6e 3a 20 20 58 2d 53 65 73 73 69 6f 6e 3a 20 20 58 2d 53 74 61 74 75 73 3a 20 20 58 2d 53 69 7a 65 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018542 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 1e 73 74 61 74 69 63 2d 31 38 32 2d 31 38 2d 31 34 33 2d 31 34 30 2e 63 74 72 6c 73 2e 69 6e --------- Hex Payload End ----------- \/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$ uricontent:"/viewforum.php?f=0&sid=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2018543 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3a 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018544 -------- Hex Payload Start ---------- 68 73 61 6c 46 65 76 61 77 6b 63 6f 68 53 2e 68 73 61 6c 46 65 76 61 77 6b 63 6f 68 53 20 72 65 76 65 72 73 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018545 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 64 2d 73 74 72 65 61 6d --------- Hex Payload End ----------- ^\x2fimage\x2f[A-Za-z0-9\+_-]+\x2ejpg$ uricontent:"/image/A.jpg"; |---------------------| Building Rule: 2018546 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f --------- Hex Payload End ----------- ^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$ uricontent:"/history/A.asp"; |---------------------| Building Rule: 2018547 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f --------- Hex Payload End ----------- ^\x2ftech\x2fs\x2easp\x3fm\x3d[A-Za-z0-9+_-]+$ uricontent:"/tech/s.asp?m=A"; |---------------------| Building Rule: 2018548 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f --------- Hex Payload End ----------- ^\x2fdocs\x2fname\x3d\x2f[A-Za-z0-9+_-]+$ uricontent:"/docs/name=/A"; |---------------------| Building Rule: 2018549 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f --------- Hex Payload End ----------- ^\x2fmanage\x2fasp\x2fitem\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26mux\x3d[A-Za-z0-9+_-]+$ uricontent:"/manage/asp/item.asp?id=A&&mux=A"; |---------------------| Building Rule: 2018550 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f --------- Hex Payload End ----------- ^\x2farticle\x2f30441\x2fReview\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26data\x3d[A-Za-z0-9+_-]+$ uricontent:"/article/30441/Review.asp?id=A&&data=A"; |---------------------| Building Rule: 2018551 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f --------- Hex Payload End ----------- ^\/home\/index\.asp\?typeid=(?:1[13]?|[3579])$ uricontent:"/home/index.asp?typeid="; |---------------------| Building Rule: 2018552 -------- Hex Payload Start ---------- 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018553 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 65 6c 6c 6f 20 32 2e 30 0d 0a --------- Hex Payload End ----------- \/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/default.asp?tmp="; |---------------------| Building Rule: 2018554 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018555 -------- Hex Payload Start ---------- c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018556 -------- Hex Payload Start ---------- 20 48 6f 73 74 3a 20 63 6f 6d 6d 6f 6e 64 61 74 61 73 74 6f 72 61 67 65 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 0d 0a 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32.SoftPulse Checkin"; flow: established, to_server; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29|"; http_header; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; http_client_body; content:"|22|machine_ID|22 3a 22|"; distance:0; http_client_body; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:trojan-activity; sid:2018557; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"47:46:41:98:fc:47:5a:2e:a1:76:18:38:b1:f8:0d:ea:e7:99:d0:5f"; classtype:trojan-activity; sid:2018736; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2018579 Error here within! -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 2e 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018596 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyreza RAT Ex-filtrating Data"; flow:established,to_server; content:"POST"; http_method; content:"POST /"; depth:6; http_client_body; fast_pattern; content:"User-Agent|3a| Wget/"; http_header; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018578; rev:6;) Parser failed - skipping rule ^(?P<len>.{3})..\x00\x00\x00(?:(?!(?P=len)).){3} NOT IMPL not _simple(av) in REPEATING CODES content:"00000###"; Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; content:"00000###"; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:1;) Parser failed - skipping rule ^(?P<len>.{3})..\x00\x00\x00(?:(?!(?P=len)).){3} NOT IMPL not _simple(av) in REPEATING CODES content:"00000###"; Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; content:"00000###"; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:1;) Parser failed - skipping rule ^(?P<len>.{3})..\x00\x00\x00(?:(?!(?P=len)).){3} NOT IMPL not _simple(av) in REPEATING CODES content:"00000###"; Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; content:"00000###"; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:2;) Parser failed - skipping rule ^\x2Fload\x5Fmodule\x2Ephp\x3Fuser\x3D(n1|11?|2)$ uricontent:"/load_module.php?user=n1"; |---------------------| Building Rule: 2018562 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\x2Fmodules\x2F(?:n[u3]|1|2)\x2Eswf$ uricontent:"/modules/.swf"; |---------------------| Building Rule: 2018563 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^\x2Fmodules\x2F(1|2)\x2Ejar$ uricontent:"/modules/1.jar"; |---------------------| Building Rule: 2018564 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$ uricontent:"/evt/?nexcb=aaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/evt/?nexcb="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; uricontent:"/evt/?nexcb=aaaaaaaaaa"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:trojan-activity; sid:2018565; rev:3;) Parser failed - skipping rule \/\/?$ uricontent:"/"; |---------------------| Building Rule: 2018566 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- ^[C-J]\r\n content:"C "; |---------------------| Building Rule: Protocol Not Supported type limit, track by_src, count 1, seconds 120 |---------------------| Building Rule: 2018568 Parser failed - skipping rule type limit, track by_src, count 1, seconds 120 |---------------------| Building Rule: 2018569 Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) "; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:3;) Parser failed - skipping rule ^\s*?\(\s*?[\x22\x27]Java[\x22\x27] content:"("Java""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; content:"("Java""; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018573; rev:3;) Parser failed - skipping rule ^\x2F[A-F0-9]{20,}+$ Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Andromeda download with fake Zip header (1)"; flow:to_client,established; content:"|0d 0a 0d 0a|PK|03 04|"; byte_test:1,>,64,0,relative; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018575; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; content:"|0d 0a 0d 0a|PK|03 04|"; byte_test:1,>,20,1,relative; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018576; rev:3;) Parser failed - skipping rule ^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"(0*A,*+),0)"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; content:"/[a-z]/gi"; fast_pattern; content:"substring"; content:"(0*A,*+),0)"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:trojan-activity; sid:2018577; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Neutrino Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"cmd="; http_client_body; content:"version="; http_client_body; content:"quality="; http_client_body; fast_pattern:only; content:"av="; http_client_body; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2018580; rev:4;) Parser failed - skipping rule \/[a-z0-9A-Z]\.exe$ uricontent:"/a.exe"; |---------------------| Building Rule: 2018581 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018583 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern:only; http_uri; content:"--*****|0d 0a|Content-Disposition|3a| form-data|3b| name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018585 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018586 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018587 -------- Hex Payload Start ---------- 2f 50 4d 43 6f 6e 66 69 67 2e 64 61 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018588 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/entrance\?s1=[a-f0-9]{100,}$ uricontent:"/entrance?s1=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018590 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018592 -------- Hex Payload Start ---------- 43 3a 5c 72 6f 63 6b 2e 70 6e 67 20 31 39 39 31 36 45 30 31 2d 42 34 34 45 2d 34 45 33 31 2d 39 34 41 34 2d 34 36 39 36 44 46 34 36 31 35 37 42 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018593 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018750 -------- Hex Payload Start ---------- 47 45 54 20 20 41 63 63 65 70 74 2d 41 73 74 65 72 6f 70 65 3a --------- Hex Payload End ----------- ^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var NOT IMPL not _simple(av) in REPEATING CODES content:"aaaaaa"> <script>var"; |---------------------| Building Rule: Protocol Not Supported ^\/[A-Za-z0-9]+?\/file\.php$ uricontent:"/A/file.php"; |---------------------| Building Rule: 2018598 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 32 38 0d 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018599 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 25 32 65 2f 66 69 6c 65 73 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; tls.fingerprint:"0e:03:44:08:34:6e:2c:66:fa:ec:a8:f8:97:24:ea:1f:f6:c7:5a:5e"; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018600; rev:11;) Parser failed - skipping rule [&?]c99shcook\[ uricontent:"&c99shcook["; |---------------------| Building Rule: 2018601 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \.pack$ uricontent:".pack"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Andromeda Downloading Module"; flow:to_server,established; content:"GET"; http_method; content:".pack"; nocase; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; uricontent:".pack"; content:"Mozilla"; http_header; pcre:"/^User-Agent\x3a\x20Mozilla(?:\/4\.0)?\r?$/Hmi"; reference:md5,65125129418e07ce1000aa677b66b72f; classtype:trojan-activity; sid:2018604; rev:5;) Parser failed - skipping rule [&?]src=https?[^&]+\x24\x28 uricontent:"&src=http#$("; |---------------------| Building Rule: 2018605 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- ^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300} content:"<script>A="AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2018606 -------- Hex Payload Start ---------- 74 3d 22 31 3b 75 72 6c 3d 61 62 6f 75 74 3a 54 61 62 73 22 20 3c 62 6f 64 79 3e 20 3c 73 63 72 69 70 74 3e 41 3d 22 41 41 41 41 41 41 41 41 41 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 300 |---------------------| Building Rule: 2018607 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 48 50 43 72 61 77 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018609 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6b 70 61 69 37 79 63 72 37 6a 78 71 6b 69 6c 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018610 -------- Hex Payload Start ---------- 6b 70 61 69 37 79 63 72 37 6a 78 71 6b 69 6c 70 2e --------- Hex Payload End ----------- [?&]id=\d*?[^\d]\d*?(?:&|$) uricontent:"?id=#"; |---------------------| Building Rule: 2018612 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018613 -------- Hex Payload Start ---------- 6c 76 71 77 67 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018614 -------- Hex Payload Start ---------- 33 34 66 65 47 61 65 52 41 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018615 -------- Hex Payload Start ---------- 0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018616 -------- Hex Payload Start ---------- 4d 00 02 02 00 20 20 20 20 2f 20 48 54 54 50 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018618 -------- Hex Payload Start ---------- 41 63 63 65 70 74 20 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 75 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018620 -------- Hex Payload Start ---------- 01 00 30 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018623 -------- Hex Payload Start ---------- 09 00 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018624 -------- Hex Payload Start ---------- 02 00 06 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018625 -------- Hex Payload Start ---------- 04 00 06 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018626 -------- Hex Payload Start ---------- 05 00 01 01 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018629 -------- Hex Payload Start ---------- 0d 0a 0d 0a 77 6f 72 6b 3a 7c 64 6f 77 6e 65 78 65 63 20 2e 6a 70 67 3b 0d 0a --------- Hex Payload End ----------- ^\x2Fn\x2F[0-9]{10,}$ uricontent:"/n/0000000000"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; depth:3; content:"content="; http_client_body; depth:8; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; uricontent:"/n/0000000000"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2018630; rev:2;) Parser failed - skipping rule ^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Ffile(?:index\x3D[A-Z]|n\x3Dnoexist|wh\x3Dfalse) uricontent:"/#/in.php?file"; |---------------------| Building Rule: 2018632 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3FRe\x3D uricontent:"/#/in.php?Re="; |---------------------| Building Rule: 2018633 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Fverify\x3D uricontent:"/#/in.php?verify="; |---------------------| Building Rule: 2018634 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^[\x20-\x7e]+?.{8}\x79\xda content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36"; flow:to_server,established; dsize:>11; content:"|79 da|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5b50cc5215694841b9faea0fde472648; classtype:trojan-activity; sid:2018636; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x9d content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37"; flow:to_server,established; dsize:>11; content:"|79 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,f80fc82b5ff8f65f02ba7af363f84264; classtype:trojan-activity; sid:2018637; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x49\xa5 content:" 00000000I"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38"; flow:to_server,established; dsize:>11; content:"|49 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000I"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,c8564898ab2598a075cbb478d104e750; classtype:trojan-activity; sid:2018638; rev:2;) Parser failed - skipping rule ^.{4}[\x20-\x7e]+?.{4}\x7b\x9e content:"0000 0000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; content:"0000 0000{"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3134e62b117f9994e173c262b1bcbca5; classtype:trojan-activity; sid:2018639; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018640 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 2f 31 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4a 61 76 61 2f 48 6f 73 74 3a 20 41 63 63 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 20 69 6d 61 67 65 2f 67 69 66 2c 20 69 6d 61 67 65 2f 6a 70 65 67 2c 20 2a 3b 20 71 3d 2e 32 2c 20 2a 2f 2a 3b 20 71 3d 2e 32 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BANKER.WIN32.BANBRA.BEEC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/black/?"; fast_pattern:only; http_uri; content:"tipo="; depth:5; http_client_body; content:"&cliente="; http_client_body; reference:md5,ceb6684ffce35dcbfae4afde3b6fd4bd; classtype:trojan-activity; sid:2018641; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018642 Error here within! -------- Hex Payload Start ---------- 00 01 00 01 20 20 20 20 00 04 cc 5f 63 --------- Hex Payload End ----------- \/$ uricontent:"/"; |---------------------| Building Rule: 2018644 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018645 -------- Hex Payload Start ---------- 49 00 4e 00 53 00 45 00 52 00 54 49 00 4e 00 54 00 4f 20 42 00 52 00 4f 00 57 00 53 00 45 00 52 00 4c 00 4f 00 47 00 55 00 53 00 42 00 --------- Hex Payload End ----------- ^Subject\x3a [^\r\n]+?Foi Instalado content:"Subject: #Foi Instalado"; |---------------------| Building Rule: 2018646 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 20 46 6f 69 20 49 6e 73 74 61 6c 61 64 6f 20 53 75 62 6a 65 63 74 3a 20 00 46 6f 69 20 49 6e 73 74 61 6c 61 64 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2018647 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 10 2a 2e 39 39 39 73 65 72 76 65 72 73 2e 63 6f 6d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WP Plug-in MailPoet Arbitrary File Upload/Auth Bypass Vulnerability"; flow:established,to_server; content:"/wp-admin/admin-post.php"; http_uri; content:"page=wysija_campaigns"; http_uri; content:"action=themes"; http_uri; content:"|0d 0a|PK"; http_client_body; content:"style.css"; http_client_body; reference:url,www.exploit-db.com/exploits/33991/; classtype:web-application-attack; sid:2018648; rev:3;) Parser failed - skipping rule \.asp\?IDPC=[^\x26]*?\x26(?:Status=|Msg=)[^\x26]*?$ uricontent:".asp?IDPC=&"; |---------------------| Building Rule: 2018649 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018650 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018651 Error here within! -------- Hex Payload Start ---------- 16 03 00 20 2a 86 48 86 f7 0d 01 09 01 20 20 73 6d 61 6c 62 61 63 68 32 34 32 34 40 68 6f 74 6d 61 69 6c 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\/[^\x2f]+?\.hlp$ uricontent:"/#.hlp"; |---------------------| Building Rule: 2018654 -------- Hex Payload Start ---------- 47 45 54 20 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 69 64 65 6e 74 69 74 79 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 49 6e 64 79 20 4c 69 62 72 61 72 79 29 20 2e --------- Hex Payload End ----------- ^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27] Parser failed - skipping rule ^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27] Parser failed - skipping rule ^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27] Parser failed - skipping rule |---------------------| Building Rule: 2018659 -------- Hex Payload Start ---------- 20 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018660 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 53 45 52 5f 43 48 45 43 4b --------- Hex Payload End ----------- \/soft(?:32|64)\.dll$ uricontent:"/soft.dll"; |---------------------| Building Rule: 2018661 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 20 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 43 6c 6f 73 65 0d 0a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018663 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- ^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01 Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018668 -------- Hex Payload Start ---------- 74 3d 22 31 3b 75 72 6c 3d 61 62 6f 75 74 3a 54 61 62 73 22 20 2f 5b 61 2d 7a 5d 2f 67 69 20 5c 78 36 36 5c 78 37 32 5c 78 36 46 5c 78 36 44 5c 78 34 33 5c 78 36 38 5c 78 36 31 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 34 5c 78 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018669 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018670 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018671 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 11 61 63 65 73 65 63 75 72 65 73 68 6f 70 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018672 Error here within! Error here within! -------- Hex Payload Start ---------- 16 20 0b 55 04 03 20 1a 6e 65 77 2d 69 6e 73 74 61 6c 6c 2e 70 72 69 76 61 74 65 64 6e 73 2e 63 6f 6d 2a 86 48 86 f7 0d 01 09 01 20 1e 73 73 6c 40 6e 65 77 2d 69 6e 73 74 61 6c 6c 2e 70 72 69 76 61 74 65 64 6e 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018673 Error here within! Error here within! -------- Hex Payload Start ---------- 55 04 03 20 0f 67 72 6f 62 65 72 74 73 2e 63 6f 6d 2e 61 75 2a 86 48 86 f7 0d 01 09 01 20 13 69 6e 66 6f 40 64 63 74 72 65 61 73 75 72 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018674 -------- Hex Payload Start ---------- 55 04 03 20 1d 77 77 77 2e 66 61 69 74 68 6d 65 6e 74 6f 72 69 6e 67 61 6e 64 6d 6f 72 65 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018882 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 29 0d 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018883 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 29 0d 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018675 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 23 20 73 74 61 74 75 73 20 63 68 65 63 6b 69 6e 67 20 70 72 6f 67 61 6d 20 6f 6e 6c 69 6e 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018676 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 74 --------- Hex Payload End ----------- ^\/kb\/\d{4,8}$ uricontent:"/kb/0000"; |---------------------| Building Rule: 2018677 Error here depth! -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 74 --------- Hex Payload End ----------- \/0\/$ uricontent:"/0/"; |---------------------| Building Rule: 2018678 -------- Hex Payload Start ---------- 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018679 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 7a 70 77 69 62 66 73 6d 6f 6f 77 65 68 64 73 6d 05 6f 6e 69 6f 6e 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya Credit Card Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"&ccnum="; http_client_body; fast_pattern:only; content:"mode="; depth:5; http_client_body; content:"&compinfo="; distance:0; http_client_body; content:"&type="; distance:0; http_client_body; content:"&track="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:url,fortinet.com/sites/default/files/whitepapers/soraya_WP.pdf; classtype:trojan-activity; sid:2018680; rev:2;) Parser failed - skipping rule ^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$ uricontent:"/a.php?p=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018681 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 3a 20 41 63 63 65 70 74 3a 20 74 65 78 74 2f 2a 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 2a 2c 20 2a 2f 2a 0d 0a --------- Hex Payload End ----------- ^\x2Ftrack\x2F\x3Fip\x3D\d&data\x3D uricontent:"/track/?ip=0&data="; |---------------------| Building Rule: 2018682 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 3a 20 41 63 63 65 70 74 3a 20 74 65 78 74 2f 2a 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 2a 2c 20 2a 2f 2a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018683 Error here within! -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 2e 20 2e 20 3a --------- Hex Payload End ----------- \.asp$ uricontent:".asp"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Aibatook checkin"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"m="; depth:2; http_client_body; content:"AA=="; http_client_body; fast_pattern:only; uricontent:".asp"; pcre:"/^m=(?:[A-Za-z0-9+/]{4}){11}(?:(?:[A-Za-z0-9+/]{4}){6})?AA==/Pi"; reference:md5,57a0af91f3b35ef1cf54502e77cc2904; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; classtype:trojan-activity; sid:2018685; rev:3;) Parser failed - skipping rule ^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$ uricontent:"/js/metrika/watch.js?ver=0.0.0"; |---------------------| Building Rule: 2018686 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Aibatook checkin 2"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/u.html"; http_uri; fast_pattern:only; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; reference:url,welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,d5e8adfefbcc3667734b8df4ae066be6; classtype:trojan-activity; sid:2018687; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018688 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 50 72 65 64 61 74 6f 72 20 50 61 69 6e 20 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018690 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 14 77 77 77 2e 6b 61 72 69 6e 65 6a 6f 6e 63 61 73 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2018691 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 0d 64 65 73 6c 65 6d 61 74 69 6e 2e 63 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018692 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; tls.fingerprint:"0e:dd:72:24:52:c1:2c:68:6f:16:a7:ee:7b:e7:4b:56:e8:9a:6d:b5"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018693; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1b|corporati-sdfs222222you.com"; fast_pattern:8,20; tls.fingerprint:"19:56:b7:ff:84:f6:f8:41:f5:b5:8d:63:76:88:59:b6:d5:f0:3d:3c"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018694; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|11|evergreen.kiev.ua"; fast_pattern:only; tls.fingerprint:"1a:3f:a8:f8:56:d4:da:64:83:f0:7b:29:40:41:cf:84:2e:b4:e9:b5"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018695; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018696 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|kilomenter.com"; tls.fingerprint:"25:c3:39:6d:47:d5:df:12:fa:af:dd:06:68:7e:7e:69:f8:fc:6f:e8"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018697; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|21|worldwidetrading-compaanny2you.su"; fast_pattern:9,20; tls.fingerprint:"28:49:e8:47:e0:d5:ba:85:bf:59:18:2a:92:e5:35:41:d5:5f:a8:dc"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018698; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.net"; fast_pattern:only; tls.fingerprint:"34:8e:8f:a3:05:d8:b1:e5:fe:d5:3c:07:1e:dd:58:e7:a0:c9:d9:d4"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018699; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|0e|jpyjcy0qmd.gov"; fast_pattern:only; tls.fingerprint:"36:ae:19:7c:21:ca:c2:56:0f:6d:6e:dc:a5:0c:46:3e:a0:49:f1:52"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018700; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0d|riffpedia.net"; fast_pattern:only; tls.fingerprint:"46:de:ba:70:b2:f5:e1:7b:a8:54:cf:02:26:ec:5b:df:8f:b0:06:7b"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018701; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0f|slksecurity.com"; fast_pattern:only; tls.fingerprint:"4b:1d:64:c1:63:7a:ae:42:7a:a0:7d:6c:75:6c:13:b9:77:71:56:03"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018702; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|12|billing-service.ru"; fast_pattern:only; tls.fingerprint:"4e:ac:f7:ce:46:3d:ff:ae:b2:40:cb:d9:7a:09:f0:dd:42:08:e7:48"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018704; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|ckytiqfles.com"; fast_pattern:only; tls.fingerprint:"4f:b4:c8:1e:f5:c1:bf:0e:2e:53:3d:8c:46:63:40:67:a1:5f:25:fe"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018705; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|web-names1.com"; fast_pattern:only; tls.fingerprint:"59:c1:d3:55:1c:d5:43:55:39:10:72:03:0d:21:57:7a:c6:5a:49:83"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018706; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|09|server265"; fast_pattern:only; tls.fingerprint:"65:a7:7d:36:d1:b5:36:65:f6:0d:19:71:89:24:50:4f:7d:3f:95:08"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018707; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|13|statistic4he2om.com"; fast_pattern:only; tls.fingerprint:"69:c6:78:70:7b:fd:48:36:29:15:71:fb:ae:40:04:59:c9:0b:9e:ed"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018708; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.com"; tls.fingerprint:"72:ce:ed:55:39:c6:0f:e7:ef:db:c8:7e:77:7f:73:1c:75:d3:ff:ea"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018711; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|secureonesee.com"; fast_pattern:only; tls.fingerprint:"74:06:45:7d:94:2e:bc:79:e4:91:45:4c:d5:7d:fc:f9:bc:c8:95:af"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018712; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|bitcoin-send.ru"; fast_pattern:only; tls.fingerprint:"78:0e:3b:97:7f:c1:19:e7:a0:e1:cd:51:92:90:9b:a0:ba:95:c8:c7"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018714; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|06|lzx.su"; fast_pattern:only; tls.fingerprint:"79:67:bb:dd:e9:c1:17:46:8d:26:cd:de:db:20:e2:1c:46:63:bd:d7"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018715; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server8"; fast_pattern:only; tls.fingerprint:"9d:5f:4b:bd:00:81:77:0e:67:43:31:e9:a0:db:e7:45:c9:85:e8:50"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018716; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; tls.fingerprint:"a7:da:82:eb:15:e9:87:09:ba:62:5c:84:3d:bb:e7:ad:d3:24:6a:c9"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018717; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1a|root@localhost.localdomain"; tls.fingerprint:"a8:c7:79:04:f3:e6:1e:6d:18:2d:7a:69:15:25:c4:09:ff:12:ef:86"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018718; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018719 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|10|Internet Banking"; fast_pattern:only; tls.fingerprint:"b0:03:44:3e:f1:2b:5f:f4:4b:5a:00:a2:68:d2:09:5b:43:d2:a8:6f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018720; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|15|futuredynamicteam.com"; tls.fingerprint:"b6:02:85:17:c1:0f:e9:e3:10:48:f0:2e:58:53:e5:c1:74:1f:ef:b8"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018721; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|0f|security256.com"; fast_pattern:only; tls.fingerprint:"ba:e6:e4:56:b7:23:9d:2e:01:cd:2a:bb:6a:10:13:9d:96:3c:73:14"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018722; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|sec-picture.net"; fast_pattern:only; tls.fingerprint:"c8:7e:eb:70:75:75:e5:23:8d:77:73:10:2d:f1:73:07:2a:bb:bf:0b"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018723; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1d|planet2wideg2yandex-corti.com"; tls.fingerprint:"c9:b0:97:d6:2d:6f:7b:36:5f:88:fc:ec:1d:a9:4d:ed:5e:d9:32:1f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018724; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0c|kin.pgsox.cc"; fast_pattern:only; tls.fingerprint:"cb:f6:8e:89:9c:14:cd:be:d2:5b:20:d3:98:ce:67:24:d6:0d:e0:a6"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018725; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|bitcoin-beta.com"; fast_pattern:only; tls.fingerprint:"d4:fa:65:54:b5:f6:24:3a:50:eb:14:53:e4:40:bb:a5:8d:a5:6f:61"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018726; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|invoice-maker.ru"; fast_pattern:only; tls.fingerprint:"d7:b1:19:96:6c:5b:41:dd:99:b2:e1:e1:c8:74:5f:cb:65:f8:09:de"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018727; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|poppperdropper.com"; fast_pattern:only; tls.fingerprint:"dd:bd:80:27:40:3b:bd:f2:17:e6:34:53:0b:ee:72:40:ce:d6:8a:8e"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018728; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|www.total4me.org"; fast_pattern:only; tls.fingerprint:"df:4b:2f:32:9f:19:f8:a5:02:33:e4:f5:1e:e1:61:6e:b8:0d:c7:f1"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018729; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|06|0bg.ru"; fast_pattern:only; tls.fingerprint:"df:9c:32:dd:ba:0b:e9:6f:08:52:bc:59:3d:a3:d7:82:12:b1:d5:45"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018730; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|greengarden1.com"; fast_pattern:only; tls.fingerprint:"e8:52:a3:e8:cd:0b:eb:2d:28:df:62:2e:2c:a4:d5:4d:f4:3c:cc:9f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018731; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server9"; fast_pattern:only; tls.fingerprint:"f5:e2:b6:7a:1e:92:49:ab:ac:d0:4f:68:36:9b:2a:0d:fb:0b:4f:d7"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018732; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|fileprofes.com"; fast_pattern:only; tls.fingerprint:"f9:86:e8:fa:b5:55:bb:db:96:9f:f2:4c:48:8c:d9:66:09:43:5e:ec"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018733; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0b|gorms4tu.be"; fast_pattern:only; tls.fingerprint:"ff:15:52:d1:df:5c:d0:0e:c5:69:00:31:9e:9f:24:80:4a:e6:0c:63"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018734; rev:2;) Parser failed - skipping rule ^\/[a-z]\?[a-z]=[0-9]{5,}$ uricontent:"/a?a=00000"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; uricontent:"/a?a=00000"; classtype:trojan-activity; sid:2018737; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018738 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 50 61 69 6e 20 46 69 6c 65 20 53 74 65 61 6c 65 72 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 3b 20 6e 61 6d 65 3d 77 61 6c 6c 65 74 2e 64 61 74 --------- Hex Payload End ----------- ^\/(?:components|wp-content|tmp)/api/[a-zA-Z0-9\/\x20]{43}=\/(?:toll|inv|notice|get_label)$ uricontent:"//api/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=/"; |---------------------| Building Rule: 2018739 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- callback=CWS[a-z0-9\.\_]{5}hC[a-z0-9\.\_]{50} uricontent:"callback=CWSaaaaahCaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018740 Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018749 Error here within! -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 2e 20 2e 20 3a --------- Hex Payload End ----------- \/OptimizerPro\.exe$ uricontent:"/OptimizerPro.exe"; |---------------------| Building Rule: 2018743 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- ^\/(?:get|install)\/\?q= uricontent:"//?q="; |---------------------| Building Rule: 2018744 -------- Hex Payload Start ---------- 47 45 54 20 20 6f 70 74 70 72 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2018745 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; tls.fingerprint:"43:cb:f3:ff:69:9b:3d:dc:58:29:17:bd:ff:41:ed:59:13:c7:39:8a"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018746; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; tls.fingerprint:"09:f0:c1:86:37:73:63:98:2c:19:7a:ed:2a:ca:60:2d:ce:4f:cf:16"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018747; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018748 -------- Hex Payload Start ---------- 43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e --------- Hex Payload End ----------- [^0-9a-f]{1,3}68[^0-9a-f]{1,3}74[^0-9a-f]{1,3}74[^0-9a-f]{1,3}70[0-9a-f]{1,3}3a content:"#68#74#74#7003a"; |---------------------| Building Rule: 2018751 -------- Hex Payload Start ---------- 6a 71 75 65 72 79 5f 64 61 74 65 70 69 63 6b 65 72 3d 27 20 00 36 38 00 37 34 00 37 34 00 37 30 30 33 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019143 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- \.bin$ uricontent:".bin"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic .bin download from Dotted Quad"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; uricontent:".bin"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; content:!"User-Agent|3a 20|McAfee Agent|0d 0a|"; http_header; content:!"User-Agent|3a 20|NetClient/"; http_header; classtype:trojan-activity; sid:2018752; rev:9;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SearchSuite Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:23; content:"/install_statistics.php"; fast_pattern; http_uri; depth:23; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE|3B| Win32)"; http_header; content:"XML="; http_client_body; depth:4; content:!"Referer|3a|"; http_header; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:trojan-activity; sid:2018753; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018754 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|do.tntcentral.mobi"; fast_pattern:only; tls.fingerprint:"75:02:e5:5d:eb:4d:19:b9:6e:a9:61:26:34:82:4b:2f:b6:ad:96:6d"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018760; rev:3;) Parser failed - skipping rule ^[\x22\x27] content:"""; |---------------------| Building Rule: 2018756 -------- Hex Payload Start ---------- 6c 6f 61 64 58 4d 4c 20 70 61 72 73 65 45 72 72 6f 72 20 2d 32 31 34 37 30 32 33 30 38 33 20 5c 6b 6c 31 2e 73 79 73 20 22 --------- Hex Payload End ----------- ^(?:e(?:vtmgr|ext)|actmon|nciesc|EBC32|comm|tdi)\.sys[\x22\x27] content:".sys""; |---------------------| Building Rule: 2018757 -------- Hex Payload Start ---------- 6c 6f 61 64 58 4d 4c 20 70 61 72 73 65 45 72 72 6f 72 20 2d 32 31 34 37 30 32 33 30 38 33 20 5c 74 6d 20 2e 73 79 73 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018758 Protocol Not Supported |---------------------| Building Rule: 2018759 Protocol Not Supported |---------------------| Building Rule: 2018767 Protocol Not Supported |---------------------| Building Rule: 2018768 Protocol Not Supported ^\/flash\/api\.php\?id=\d uricontent:"/flash/api.php?id=0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern:only; uricontent:"/flash/api.php?id=0"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2018770 -------- Hex Payload Start ---------- 74 66 61 72 64 63 69 5f 73 65 73 73 69 6f 6e 3d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern:only; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern:only; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018775 -------- Hex Payload Start ---------- 48 54 54 50 2f 31 2e 20 53 65 72 76 65 72 3a 20 53 74 61 6c 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018776 Protocol Not Supported |---------------------| Building Rule: 2018777 Protocol Not Supported |---------------------| Building Rule: 2018778 Protocol Not Supported |---------------------| Building Rule: 2018779 Protocol Not Supported |---------------------| Building Rule: 2018780 Protocol Not Supported |---------------------| Building Rule: 2018782 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 72 65 73 65 61 72 63 68 2d 73 63 61 6e 6e 65 72 2f 69 6e 74 65 72 6e 65 74 73 63 61 6e 6e 69 6e 67 70 72 6f 6a 65 63 74 2e 6f 72 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018783 -------- Hex Payload Start ---------- 2d 32 31 34 37 30 32 33 30 38 33 20 72 65 73 3a 2f 20 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15} Parser failed - skipping rule |---------------------| Building Rule: 2018786 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- ^\/wp-content\/themes\/[^\x2f]+\/[a-z0-9]+$ uricontent:"/wp-content/themes/#/a"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Locker DL URI Struct Jul 25 2014"; flow:to_server,established; content:"/wp-content/themes/"; http_uri; depth:19; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; uricontent:"/wp-content/themes/#/a"; pcre:"/^User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a11\.0)[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,dc4d0bd7fb9e647501c3b0d75aa2be65; classtype:trojan-activity; sid:2018787; rev:2;) Parser failed - skipping rule ^[\x00-\x0c]\x00\x00\x00[a-z0-9]{6,12}\x00 content:"####aaaaaa#"; Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible CryptoWall encrypted download"; flow:to_client,established; content:"|0d 0a 0d 0a|"; byte_test:1,<,12,0,relative; content:"|00 00 00|"; distance:1; within:3; byte_test:1,<,127,0,relative; byte_test:1,>,48,0,relative; byte_jump:1,0,from_beginning,post_offset 5; byte_test:1,=,0,0,relative; content:"####aaaaaa#"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018788; rev:3;) Parser failed - skipping rule ^.{2}www\.[0-9a-z]{8,20}\.com[01] content:"00www.00000000.com0"; Unsupported keyword! Error parsing rule contents alert tcp any ![21,25,110,143,443,465,587,636,989:995,5061,5222,8443] -> any any (msg:"ET POLICY TLS possible TOR SSL traffic"; flow:established,from_server; content:"|06 03 55 04 03|"; content:"00www.00000000.com0"; content:"|06 03 55 04 03|"; distance:0; pcre:"/^.{2}www\.[0-9a-z]{8,20}\.net/Rs"; classtype:trojan-activity; sid:2018789; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018790 Protocol Not Supported |---------------------| Building Rule: 2018791 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern:only; content:"|20|Android|20|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported ^(?:[\x22\x27]\s*?\])?\(\s*?(?:\[[\x22\x27])?rc4(?:[\x22\x27]\s*?\])?\(\s*?[\x22\x27][^\x22\x27]+?[\x22\x27]\s*?,\s*?(?:\[[\x22\x27])?hex2bin(?:[\x22\x27]\s*?\])?\( NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"(rc4("#",hex2bin("; |---------------------| Building Rule: 2018794 -------- Hex Payload Start ---------- 74 3d 22 31 3b 75 72 6c 3d 61 62 6f 75 74 3a 54 61 62 73 22 20 68 65 78 32 62 69 6e 20 65 76 61 6c 20 28 72 63 34 28 22 00 22 2c 68 65 78 32 62 69 6e 28 --------- Hex Payload End ----------- ^[\x22\x27] content:"""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE Exploit"; flow:established,to_client; content:"|2f|Trident|5c 2f|(|5c|d)|2f|"; content:"|7c|2551"; content:"""; distance:0; content:"|7c|3918"; pcre:"/^[\x22\x27]/R"; content:"|7c|0322"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018795; rev:6;) Parser failed - skipping rule ^[\x22\x27] content:"""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java Exploit"; flow:established,to_client; content:"getVersion"; nocase; content:"Java"; distance:0; content:"3544"; content:"""; distance:0; content:"2471"; pcre:"/^[\x22\x27]/R"; content:"2460"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018796; rev:6;) Parser failed - skipping rule ^[\x22\x27] content:"""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; content:"""; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018797; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2018798 Error here within! -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 20 20 20 20 43 2d 48 2d 45 2d 47 2d 4f 20 41 2d 56 2d 49 2d 53 2d 4f 21 20 2e 3a 3a 49 6e 66 65 63 74 3a 3a 2e --------- Hex Payload End ----------- \/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}$ uricontent:"/&aaaaa=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2018799 -------- Hex Payload Start ---------- 50 4f 53 54 20 74 20 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 29 0d 0a 48 6f 73 74 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018800 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 68 72 6f 6f 74 2d 61 70 61 63 68 30 64 61 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018801 Protocol Not Supported |---------------------| Building Rule: 2018802 Protocol Not Supported |---------------------| Building Rule: 2018803 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018804 Protocol Not Supported |---------------------| Building Rule: 2018805 Protocol Not Supported |---------------------| Building Rule: 2018806 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; tls.fingerprint:"b6:d7:85:2a:e1:ca:32:5f:77:28:d4:64:12:44:8b:01:41:94:0b:c9"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018807; rev:3;) Parser failed - skipping rule ^\d content:"0"; |---------------------| Building Rule: 2018808 Error here depth! -------- Hex Payload Start ---------- 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 69 6e 75 78 20 20 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018810 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 70 61 73 73 69 6e 67 67 61 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018812 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 6d 79 72 65 64 69 72 65 63 74 02 75 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018814 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 02 72 72 02 6e 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018816 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 04 6b 77 69 6b 02 74 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018818 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 04 6d 79 66 77 02 75 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018820 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 6f 6e 74 68 65 77 65 62 02 6e 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018822 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 07 69 73 74 68 65 62 65 02 73 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018824 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 07 62 79 69 6e 74 65 72 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018826 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 66 69 6e 64 68 65 72 65 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018828 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0a 6f 6e 74 68 65 6e 65 74 61 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018830 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 06 75 67 6c 79 61 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018832 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 61 73 73 65 78 79 61 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018834 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 06 70 61 73 73 61 73 02 75 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018836 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 09 61 74 68 69 73 73 69 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018838 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 09 61 74 68 65 72 73 69 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018840 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 05 69 73 67 72 65 02 61 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018842 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 06 6c 6f 6f 6b 69 6e 02 61 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018844 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 09 62 65 73 74 64 65 61 6c 73 02 61 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018846 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0c 6c 6f 77 65 73 74 70 72 69 63 65 73 02 61 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018849 Protocol Not Supported |---------------------| Building Rule: 2018850 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; tls.fingerprint:"cd:bc:8b:c2:e9:63:ee:6c:e5:18:e0:6a:92:42:a5:4a:28:19:eb:7f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018851; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018852 Protocol Not Supported |---------------------| Building Rule: 2018853 Protocol Not Supported type limit,track by_src, count 1, seconds 300 |---------------------| Building Rule: 2018855 -------- Hex Payload Start ---------- 73 6f 63 6b 73 35 69 6e 69 74 3a --------- Hex Payload End ----------- ^[A-Za-z0-9]{3}[A-Za-z0-9\r\n\/+]+={0,2}$ content:"AAAA"; |---------------------| Building Rule: 2018856 -------- Hex Payload Start ---------- 0d 0a 0d 0a 54 56 71 51 41 20 41 41 41 41 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"1e:0f:3d:14:42:f9:52:2b:24:25:15:cb:69:68:a1:0b:08:f4:85:7c"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018858; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ac 31 2f c6 b3 12 c1 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"be:1a:58:4a:85:c8:79:f8:55:5d:98:4f:c3:6b:ef:69:db:6d:8a:d5"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018859; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 dd 04 88 42 80 63 7d af|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"80:ac:8f:7c:a8:c6:dd:1b:5b:23:17:63:e9:09:50:52:40:a9:d1:a6"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018860; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"4d:0f:1f:0f:96:85:ef:f1:24:e5:6a:31:19:2a:2b:ea:e7:88:d8:8b"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018861; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"ab:92:db:cc:12:05:45:36:1d:3a:cc:c5:50:d4:e5:79:67:d4:85:71"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018862; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"f7:41:76:2e:a8:09:4a:8d:95:ad:84:ba:ea:0d:42:e8:0c:e5:84:d0"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018863; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ab 62 ca a2 20 83 75 2d|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"bc:08:3e:da:9c:3a:84:fa:bf:6d:39:23:7e:bb:7a:d8:65:54:0b:56"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018864; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 f6 57 75 bc c6 71 7c 74|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"0b:b0:85:d5:61:df:07:c8:89:e5:ba:d5:1c:84:63:71:d4:fc:fd:61"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018865; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 cf 22 8c cf e7 2c 1b 1f|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"a9:24:0e:12:4a:b9:4f:16:74:4d:54:c2:50:f2:df:46:1d:dc:39:2b"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018866; rev:3;) Parser failed - skipping rule ^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report= uricontent:"/get/?ver=0&aid=00000000&hid=aaaaaaaaaaaaaaa&rid=0000000000000&data=&report="; |---------------------| Building Rule: 2018867 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018868 Protocol Not Supported |---------------------| Building Rule: 2018869 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 29 0d 0a 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018870 Protocol Not Supported |---------------------| Building Rule: 2018871 Protocol Not Supported |---------------------| Building Rule: 2018872 -------- Hex Payload Start ---------- 69 65 74 37 76 34 64 63 69 6f 63 67 78 68 64 76 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018873 -------- Hex Payload Start ---------- 20 69 65 74 37 76 34 64 63 69 6f 63 67 78 68 64 76 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018874 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 10 69 65 74 37 76 34 64 63 69 6f 63 67 78 68 64 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018875 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 05 74 6f 72 34 75 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018876 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 05 6f 6e 69 6f 6e 03 63 61 62 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018877 -------- Hex Payload Start ---------- 6b 6e 6f 77 6c 65 64 67 65 77 69 6b 69 2e 69 6e 66 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2018878 -------- Hex Payload Start ---------- 2e 74 6f 72 34 75 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018879 -------- Hex Payload Start ---------- 2e 6f 6e 69 6f 6e 2e 63 61 62 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x7c\x99 content:" 00000000|"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40"; flow:to_server,established; dsize:>11; content:"|7c 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000|"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:trojan-activity; sid:2018880; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018881 Protocol Not Supported |---------------------| Building Rule: 2018884 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 29 0d 0a 20 74 20 3a --------- Hex Payload End ----------- ^\d\.\d\.\d{4}\]\r\n\(C\)\x20Copyright\x20\d{4}(\x2d\d{4})?\x20Microsoft Corp(:?\.|oration) NOT IMPL not _simple(av) in REPEATING CODES content:"0.0.0000] (C) Copyright 0000 Microsoft Corp."; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018886 -------- Hex Payload Start ---------- 53 79 73 74 65 6d 20 49 64 6c 65 20 50 72 6f 63 65 73 73 20 49 6d 61 67 65 20 4e 61 6d 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 49 44 20 53 65 73 73 69 6f 6e 20 4e 61 6d 65 20 20 20 20 20 53 65 73 73 69 6f 6e 23 20 20 20 20 4d 65 6d 20 55 73 61 67 65 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0d 0a 20 73 76 63 68 6f 73 74 2e 65 78 65 20 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018887 -------- Hex Payload Start ---------- 4d 41 49 4c 20 46 52 4f 4d 3a 3c 61 31 33 37 37 33 36 35 31 33 40 71 71 2e 63 6f 6d 3e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Mysayad Checkin 1"; flow:established,to_server; content:"HEAD"; http_method; urilen:17; content:"/GlobalUpdate.upt"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:trojan-activity; sid:2018889; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Mysayad Checkin 2"; flow:established,to_server; content:"HEAD"; http_method; urilen:9; content:"/all.wipe"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:trojan-activity; sid:2018890; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018891 -------- Hex Payload Start ---------- 50 4f 53 54 20 3a 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018892 -------- Hex Payload Start ---------- 7a 78 6a 66 63 76 66 76 68 71 66 71 73 72 70 7a 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018893 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 7a 78 6a 66 63 76 66 76 68 71 66 71 73 72 70 7a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; content:"GET"; http_method; urilen:4; content:"/333"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept-Language|3a| "; http_header; content:" MSIE "; http_header; classtype:trojan-activity; sid:2018894; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2018895 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018896 Protocol Not Supported |---------------------| Building Rule: 2018897 -------- Hex Payload Start ---------- 58 2d 47 65 6f 49 50 2d 43 6f 75 6e 74 72 79 2d 43 6f 64 65 3a 20 20 58 2d 52 65 61 6c 2d 49 50 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018898 Protocol Not Supported \.php\?compname=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}_ uricontent:".php?compname=#a_"; |---------------------| Building Rule: 2018900 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 --------- Hex Payload End ----------- \/vtris\d?\.php\?srs=\d{1,10}$ uricontent:"/vtris.php?srs=0"; |---------------------| Building Rule: 2018901 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018902 Protocol Not Supported type limit, track by_dst, count 1, seconds 120 |---------------------| Building Rule: 2018904 Error here within! -------- Hex Payload Start ---------- 00 01 00 08 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 03 00 04 00 00 00 00 --------- Hex Payload End ----------- type limit, track by_dst, count 1, seconds 120 |---------------------| Building Rule: 2018905 Error here within! -------- Hex Payload Start ---------- 00 01 00 08 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 03 00 04 00 00 00 02 --------- Hex Payload End ----------- type limit, track by_dst, count 1, seconds 120 |---------------------| Building Rule: 2018906 Error here within! -------- Hex Payload Start ---------- 00 01 00 08 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 03 00 04 00 00 00 04 --------- Hex Payload End ----------- type limit, track by_dst, count 1, seconds 120 |---------------------| Building Rule: 2018907 Error here within! -------- Hex Payload Start ---------- 00 01 00 08 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 03 00 04 00 00 00 06 --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 60 |---------------------| Building Rule: 2018908 Error here within! -------- Hex Payload Start ---------- 01 01 00 44 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00 01 00 08 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; tls.fingerprint:"ea:ab:3c:a3:76:94:c8:9d:57:b9:21:b4:f3:93:0b:af:de:02:2d:e0"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018910; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; tls.fingerprint:"8f:37:76:15:40:99:b6:c2:dc:34:b8:c3:7f:f5:21:17:21:44:a9:a4"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018911; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018912 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; tls.fingerprint:"ca:2e:43:5b:b8:83:60:81:ff:a6:1c:90:2d:b0:5a:4e:0e:11:c7:8f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018913; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018914 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 65 78 65 2e 65 78 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e5:0e:e9:90:a3:12:b9:e2:e6:8c:46:d1:89:e1:e9:23:81:74:1b:f9"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018915; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e6:d3:0c:d0:41:d1:9d:3a:3e:9c:82:e0:b9:e3:e1:67:ad:0f:ee:9f"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018916; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; tls.fingerprint:"b5:ff:48:e0:d2:15:2e:04:83:f1:8d:50:60:41:46:7a:55:d1:fb:a8"; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:trojan-activity; sid:2018917; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018918 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 61 70 69 07 61 63 63 6f 75 6e 74 06 78 69 61 6f 6d 69 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018919 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 61 70 69 2e 61 63 63 6f 75 6e 74 2e 78 69 61 6f 6d 69 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- ^[\x22\x27] content:"""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Applet"; flow:established,from_server; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; content:"""; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018922; rev:3;) Parser failed - skipping rule ^[\w.]*?\.class content:".class"; |---------------------| Building Rule: 2018923 -------- Hex Payload Start ---------- 66 61 77 61 2f 20 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018924 -------- Hex Payload Start ---------- 61 2f 68 69 64 64 65 6e 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018925 -------- Hex Payload Start ---------- 20 20 4a 61 76 61 2f --------- Hex Payload End ----------- ^\/lolo\/[0-9]+\/[0-9]+\/[0-9]+\/[0-9]+\.html$ uricontent:"/lolo/0/0/0/0.html"; |---------------------| Building Rule: 2018926 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 29 --------- Hex Payload End ----------- ^\/log\/[0-9]+\/[0-9]+\/\?id=[0-9]+$ uricontent:"/log/0/0/?id=0"; |---------------------| Building Rule: 2018927 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e 20 48 6f 73 74 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018935 Protocol Not Supported ^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe uricontent:"/50000,,A:/0.exe"; |---------------------| Building Rule: 2018928 -------- Hex Payload Start ---------- 20 3a 20 2e --------- Hex Payload End ----------- \/ord\/[^\x2f]+?\.exe$ uricontent:"/ord/#.exe"; |---------------------| Building Rule: 2018929 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018930 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018931 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018933 -------- Hex Payload Start ---------- 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 29 2f 69 20 45 78 70 6c 6f 69 74 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018936 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"35:66:21:93:91:b9:56:61:88:b4:c8:02:1e:a3:eb:c6:1c:97:35:c3"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018937; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018939 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; tls.fingerprint:"b2:ca:f5:a1:82:79:c1:cb:10:da:17:4c:58:1a:71:38:ff:8b:0c:f2"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018940; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018942 Protocol Not Supported |---------------------| Building Rule: 2018943 Protocol Not Supported |---------------------| Building Rule: 2018944 Protocol Not Supported \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; uricontent:".php"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:2;) Parser failed - skipping rule \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=devicestatus"; http_client_body; fast_pattern:only; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; uricontent:".php"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019162 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 53 79 6e 61 70 73 65 29 0d 0a 20 74 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018947 Protocol Not Supported |---------------------| Building Rule: 2018948 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 63 79 70 68 65 72 78 66 66 74 74 72 37 68 68 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2018949 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 53 79 6e 61 70 73 65 29 20 74 20 3a --------- Hex Payload End ----------- ^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script> NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"<script>A("#1");</script><script>("2");</script><script>("3");</script><script>"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; content:"0|22 29 3b 0a 0d 0a|</script>"; content:"<script>A("#1");</script><script>("2");</script><script>("3");</script><script>"; classtype:trojan-activity; sid:2018950; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018953 -------- Hex Payload Start ---------- 6d 79 20 24 70 72 6f 63 65 73 73 6f 6d 79 20 40 61 64 6d 73 3d 6d 79 20 40 63 61 6e 61 69 73 3d 23 67 68 30 73 74 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018954 -------- Hex Payload Start ---------- 0d 0a 0d 0a f1 f4 c2 a2 8b 34 6e 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018955 -------- Hex Payload Start ---------- 0d 0a 0d 0a f1 fc f4 ff 87 6a 66 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018956 -------- Hex Payload Start ---------- 0d 0a 0d 0a e7 c4 a6 c1 9d 79 53 59 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018957 -------- Hex Payload Start ---------- 0d 0a 0d 0a d6 e2 ff c3 a1 75 39 68 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:3;) Parser failed - skipping rule \/zConfig\/\d+$ uricontent:"/zConfig/0"; |---------------------| Building Rule: 2018960 -------- Hex Payload Start ---------- 20 3a 20 74 --------- Hex Payload End ----------- \/zImprimer\/\d+- uricontent:"/zImprimer/0-"; |---------------------| Building Rule: 2018961 -------- Hex Payload Start ---------- 20 3a 20 74 --------- Hex Payload End ----------- \/enc\/1$ uricontent:"/enc/1"; |---------------------| Building Rule: 2018962 -------- Hex Payload Start ---------- 20 3a 20 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018963 -------- Hex Payload Start ---------- 5c 50 72 6f 6a 65 63 74 73 5c 5a 65 72 6f 4c 6f 63 6b 65 72 5c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019172 -------- Hex Payload Start ---------- 56 45 52 53 4f 4e 45 58 3a 7c 48 61 63 6b 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018964 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 63 63 65 73 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018965 -------- Hex Payload Start ---------- 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 7a 28 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 66 72 61 6d 65 22 29 20 2e 73 74 79 6c 65 2e 6c 65 66 74 20 3d 20 22 2d 20 2e 73 74 79 6c 65 2e 74 6f 70 20 3d 20 22 2d 3b 7d 7a 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e --------- Hex Payload End ----------- ^\s*?=\s*?[\x22\x27](?P<var>[^\s\x3b]+)\s*?=\s*?readed\x3b.*?document.cookie.indexOf\s*?\(\s*?[\x22\x27](?P=var)[\x22\x27] NOT IMPL Groupref content:"="#=readed;document0cookie0indexOf("""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M1"; flow:established,from_server; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie"; content:"="#=readed;document0cookie0indexOf("""; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:trojan-activity; sid:2018966; rev:3;) Parser failed - skipping rule ^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b NOT IMPL Groupref content:"("#"0document.cookie="=readed;"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; content:"("#"0document.cookie="=readed;"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:trojan-activity; sid:2018967; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018968 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 79 74 68 6f 6e 2d 75 72 6c 6c 69 62 2f 20 74 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018969 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018970 -------- Hex Payload Start ---------- 3c 61 70 70 6c 65 74 20 53 69 67 6e 65 64 5f 55 70 64 61 74 65 2e 6a 61 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; content:"GET"; http_method; urilen:4; content:"/222"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept-Language|3a| "; http_header; content:" MSIE "; http_header; classtype:trojan-activity; sid:2018971; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2018972 -------- Hex Payload Start ---------- 3c 70 61 72 61 6d 20 6e 61 6d 65 3d 22 76 61 6c 75 65 3d 22 6e 69 78 2e 62 69 6e 22 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2018973 Protocol Not Supported |---------------------| Building Rule: 2018974 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2018976 -------- Hex Payload Start ---------- 48 6f 69 63 2f 62 75 74 74 6f 6e 73 32 2f 50 4b 48 6f 69 63 2f 62 75 74 74 6f 6e 73 32 2f 62 75 74 74 6f 6e 73 2e 72 61 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_dst; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2018979 Error here depth! -------- Hex Payload Start ---------- 20 20 36 36 36 36 58 36 36 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018980 -------- Hex Payload Start ---------- 43 57 44 20 2e 2e 2f 4b 65 79 4c 6f 67 5f 48 69 73 74 6f 72 79 --------- Hex Payload End ----------- ^\/p\/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz) uricontent:"/p/"; type both, count 1, seconds 30, track by_src |---------------------| Building Rule: 2018984 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 63 6f 64 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 20 2e 20 20 20 20 --------- Hex Payload End ----------- ^\/(?P<n>\d)(?P=n){1,2}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; content:"GET"; http_method; urilen:2<>5; content:!"Referer|3a| "; http_header; content:!"Accept-Language|3a| "; http_header; content:" MSIE "; http_header; fast_pattern:only; uricontent:"/0"; flowbits:set,ET.Onelouder.bin; flowbits:noalert; classtype:trojan-activity; sid:2018981; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2;) Parser failed - skipping rule \/\d+$ uricontent:"/0"; |---------------------| Building Rule: 2018983 -------- Hex Payload Start ---------- 2e 20 2e 20 20 4d 53 49 45 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018985 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 64 39 64 33 38 35 62 33 35 32 32 62 32 34 32 33 39 38 61 66 39 31 66 64 34 32 35 62 33 38 36 64 --------- Hex Payload End ----------- \/Fqxzdh\.jar$ uricontent:"/Fqxzdh.jar"; |---------------------| Building Rule: 2018987 -------- Hex Payload Start ---------- 47 45 54 20 20 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- ^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\( Parser failed - skipping rule |---------------------| Building Rule: 2018989 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018990 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018991 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018992 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018993 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2018994 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- ^\/(?:pruncd)?flashhigh\.swf$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/flashhigh.swf"; |---------------------| Building Rule: 2018995 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- ^\/(?:pruncd)?flashlow\.swf$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/flashlow.swf"; |---------------------| Building Rule: 2018996 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018997 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2018998 -------- Hex Payload Start ---------- 2b 70 61 79 6c 6f 61 64 20 66 6c 61 73 68 4c 6f 77 --------- Hex Payload End ----------- |---------------------| Building Rule: 2018999 -------- Hex Payload Start ---------- 20 20 20 20 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019000 -------- Hex Payload Start ---------- 57 69 6e 64 6f 77 73 20 49 50 20 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 0d 45 74 68 65 72 6e 65 74 20 61 64 61 70 74 65 72 20 4c 6f 63 61 6c 20 41 72 65 61 20 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 50 68 79 73 69 63 61 6c 20 41 64 64 72 65 73 73 20 49 50 20 41 64 64 72 65 73 73 20 53 75 62 6e 65 74 20 4d 61 73 6b 20 44 65 66 61 75 6c 74 20 47 61 74 65 77 61 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019001 -------- Hex Payload Start ---------- 54 68 65 73 65 20 57 69 6e 64 6f 77 73 20 73 65 72 76 69 63 65 73 20 61 72 65 20 73 74 61 72 74 65 64 3a 0d 54 68 65 20 63 6f 6d 6d 61 6e 64 20 63 6f 6d 70 6c 65 74 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019002 -------- Hex Payload Start ---------- 48 6f 73 74 20 4e 61 6d 65 3a 20 4f 53 20 4e 61 6d 65 3a 20 4f 53 20 56 65 72 73 69 6f 6e 3a 20 4f 53 20 4d 61 6e 75 66 61 63 74 75 72 65 72 3a 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 20 4f 53 20 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3a 20 4f 53 20 42 75 69 6c 64 20 54 79 70 65 3a 20 52 65 67 69 73 74 65 72 65 64 20 4f 77 6e 65 72 3a 20 52 65 67 69 73 74 65 72 65 64 20 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 3a 20 50 72 6f 64 75 63 74 20 49 44 3a 20 4f 72 69 67 69 6e 61 6c 20 49 6e 73 74 61 6c 6c 20 44 61 74 65 3a 20 53 79 73 74 65 6d 20 55 70 20 54 69 6d 65 3a 20 53 79 73 74 65 6d 20 4d 61 6e 75 66 61 63 74 75 72 65 72 3a 20 53 79 73 74 65 6d 20 4d 6f 64 65 6c 3a 20 53 79 73 74 65 6d 20 74 79 70 65 3a 20 50 72 6f 63 65 73 73 6f 72 28 73 29 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019003 -------- Hex Payload Start ---------- 41 63 74 69 76 65 20 43 6f 6e 6e 65 63 74 69 6f 6e 73 0d 20 50 72 6f 74 6f 20 4c 6f 63 61 6c 20 41 64 64 72 65 73 73 20 46 6f 72 65 69 67 6e 20 41 64 64 72 65 73 73 53 74 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019005 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 73 77 66 2f 5b 5b 44 59 4e 41 4d 49 43 5d 5d 2f 31 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019007 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 68 65 78 32 62 69 6e 28 68 65 78 29 66 75 6e 63 74 69 6f 6e 20 72 63 34 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019008 -------- Hex Payload Start ---------- 20 2e 70 68 70 3f 69 64 3d 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019009 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4;) Parser failed - skipping rule \.php\?spl=[\w_]+$ uricontent:".php?spl=A"; |---------------------| Building Rule: 2019023 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019024 -------- Hex Payload Start ---------- 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 31 2b 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 32 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019025 Protocol Not Supported |---------------------| Building Rule: 2019026 Protocol Not Supported |---------------------| Building Rule: 2019027 Protocol Not Supported |---------------------| Building Rule: 2019028 Protocol Not Supported |---------------------| Building Rule: 2019029 Protocol Not Supported |---------------------| Building Rule: 2019030 Protocol Not Supported |---------------------| Building Rule: 2019031 Protocol Not Supported |---------------------| Building Rule: 2019032 Protocol Not Supported |---------------------| Building Rule: 2019033 Protocol Not Supported |---------------------| Building Rule: 2019034 Protocol Not Supported |---------------------| Building Rule: 2019035 Protocol Not Supported |---------------------| Building Rule: 2019036 Protocol Not Supported |---------------------| Building Rule: 2019037 Protocol Not Supported |---------------------| Building Rule: 2019038 Protocol Not Supported |---------------------| Building Rule: 2019039 Protocol Not Supported |---------------------| Building Rule: 2019040 Protocol Not Supported |---------------------| Building Rule: 2019042 Protocol Not Supported |---------------------| Building Rule: 2019043 Protocol Not Supported |---------------------| Building Rule: 2019044 Protocol Not Supported |---------------------| Building Rule: 2019045 Protocol Not Supported |---------------------| Building Rule: 2019046 Protocol Not Supported |---------------------| Building Rule: 2019047 Protocol Not Supported |---------------------| Building Rule: 2019048 Protocol Not Supported |---------------------| Building Rule: 2019049 Protocol Not Supported |---------------------| Building Rule: 2019050 Protocol Not Supported |---------------------| Building Rule: 2019051 Protocol Not Supported |---------------------| Building Rule: 2019052 Protocol Not Supported |---------------------| Building Rule: 2019053 Protocol Not Supported |---------------------| Building Rule: 2019054 Protocol Not Supported |---------------------| Building Rule: 2019055 Protocol Not Supported |---------------------| Building Rule: 2019056 Protocol Not Supported |---------------------| Building Rule: 2019057 Protocol Not Supported |---------------------| Building Rule: 2019058 Protocol Not Supported |---------------------| Building Rule: 2019059 Protocol Not Supported |---------------------| Building Rule: 2019060 Protocol Not Supported |---------------------| Building Rule: 2019061 Protocol Not Supported |---------------------| Building Rule: 2019062 Protocol Not Supported |---------------------| Building Rule: 2019063 Protocol Not Supported |---------------------| Building Rule: 2019064 Protocol Not Supported |---------------------| Building Rule: 2019065 Protocol Not Supported |---------------------| Building Rule: 2019067 Protocol Not Supported |---------------------| Building Rule: 2019068 Protocol Not Supported |---------------------| Building Rule: 2019069 Protocol Not Supported |---------------------| Building Rule: 2019070 Protocol Not Supported |---------------------| Building Rule: 2019071 -------- Hex Payload Start ---------- 28 36 39 33 37 34 31 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 3b 77 69 6e 64 6f 77 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019072 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 27 2014"; flow:established,to_client; content:"Server|3a 20|CppCMS-Embedded/1.0.4|0d 0a|"; http_header; content:"302"; http_stat_code; content:"nhweb="; http_cookie; depth:6; classtype:trojan-activity; sid:2019073; rev:2;) Parser failed - skipping rule \/0[0-2]\/.+?\/[a-f0-9]+\?id=[a-f0-9]+$ uricontent:"/00/0/a?id=a"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"?id="; http_uri; content:"/0"; http_uri; uricontent:"/00/0/a?id=a"; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http_header; fast_pattern:26,20; pcre:"/^User-Agent\x3a[^r\n]+?(?:MSIE|rv\x3a11)/Hmi"; classtype:trojan-activity; sid:2019074; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2019075 Protocol Not Supported |---------------------| Building Rule: 2019076 Protocol Not Supported |---------------------| Building Rule: 2019077 Protocol Not Supported ^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"aaaaaa"> <script>#!eval!"; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019079 Protocol Not Supported |---------------------| Building Rule: 2019080 -------- Hex Payload Start ---------- 49 6e 74 65 72 66 61 63 65 3a 2d 2d 2d 20 30 78 20 49 6e 74 65 72 6e 65 74 20 41 64 64 72 65 73 73 50 68 79 73 69 63 61 6c 20 41 64 64 72 65 73 73 20 54 79 70 65 20 64 79 6e 61 6d 69 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019081 -------- Hex Payload Start ---------- 41 4c 4c 55 53 45 52 53 50 52 4f 46 49 4c 45 3d 41 50 50 44 41 54 41 3d 20 43 4c 49 45 4e 54 4e 41 4d 45 3d 43 6f 6d 6d 6f 6e 50 72 6f 67 72 61 6d 46 69 6c 65 73 3d 20 43 4f 4d 50 55 54 45 52 4e 41 4d 45 3d 20 43 6f 6d 53 70 65 63 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019082 -------- Hex Payload Start ---------- 49 6e 74 65 72 66 61 63 65 20 4c 69 73 74 41 63 74 69 76 65 20 52 6f 75 74 65 73 3a 20 4e 65 74 77 6f 72 6b 20 44 65 73 74 69 6e 61 74 69 6f 6e 4e 65 74 6d 61 73 6b 20 47 61 74 65 77 61 79 20 49 6e 74 65 72 66 61 63 65 20 4d 65 74 72 69 63 20 44 65 66 61 75 6c 74 20 47 61 74 65 77 61 79 3a 20 50 65 72 73 69 73 74 65 6e 74 20 52 6f 75 74 65 73 3a 20 52 6f 75 74 65 20 54 61 62 6c 65 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\xc3\x70 content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41"; flow:to_server,established; dsize:>11; content:"|c3 70|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,23bb9c2ed95e942f886d544fefd20d70; classtype:trojan-activity; sid:2019083; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019084 Error here depth! -------- Hex Payload Start ---------- 20 20 2f 6a 7c 6e 5c 5b 65 6e 64 6f 66 5d --------- Hex Payload End ----------- ^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160) content:",,,,,,"; |---------------------| Building Rule: 2019085 -------- Hex Payload Start ---------- 2e 61 74 6f 62 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 20 2c 2c 2c 2c 2c 2c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019086 Protocol Not Supported |---------------------| Building Rule: 2019087 -------- Hex Payload Start ---------- 63 6d 69 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019088 -------- Hex Payload Start ---------- 63 6d 69 2f 76 61 72 2f 73 73 68 2f 72 6f 6f 74 2f 61 75 74 68 6f 72 69 7a 65 64 5f 6b 65 79 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019089 -------- Hex Payload Start ---------- 73 73 68 2d 72 73 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019090 -------- Hex Payload Start ---------- 73 73 68 2d 72 73 61 --------- Hex Payload End ----------- ^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\) Parser failed - skipping rule |---------------------| Building Rule: 2019093 -------- Hex Payload Start ---------- 73 63 61 6e 62 6f 78 2e 63 72 79 70 74 2e 5f 75 74 66 38 5f 65 6e 63 6f 64 65 --------- Hex Payload End ----------- \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Intial (POST)"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:"seed="; http_client_body; content:"&referrer="; http_client_body; content:"&agent="; http_client_body; content:"&location="; http_client_body; content:"&toplocation="; http_client_body; uricontent:".php"; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019094; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019096 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- ^\/(?:pruncd)?silverapp1\.xap$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/silverapp1.xap"; |---------------------| Building Rule: 2019097 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:trojan-activity; sid:2019098; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019099 -------- Hex Payload Start ---------- 53 69 6c 76 65 72 41 70 70 31 2e 64 6c 6c 50 4b --------- Hex Payload End ----------- \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; uricontent:".php"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:trojan-activity; sid:2019100; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019101 -------- Hex Payload Start ---------- 01 00 00 00 01 00 00 00 08 08 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2019103 -------- Hex Payload Start ---------- 0d 0a 0d 0a 4d 5a 20 50 45 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019104 Protocol Not Supported |---------------------| Building Rule: 2019105 Protocol Not Supported |---------------------| Building Rule: 2019106 Protocol Not Supported |---------------------| Building Rule: 2019107 Protocol Not Supported |---------------------| Building Rule: 2019108 Protocol Not Supported |---------------------| Building Rule: 2019109 Protocol Not Supported |---------------------| Building Rule: 2019110 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019111 -------- Hex Payload Start ---------- 64 6e 73 50 72 69 6d 61 72 79 3d 20 64 6e 73 53 65 63 6f 6e 64 61 72 79 3d 20 64 6e 73 44 79 6e 61 6d 69 63 3d 20 64 6e 73 63 6f 6e 66 69 67 2e 63 67 69 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019112 -------- Hex Payload Start ---------- 64 6e 73 50 72 69 6d 61 72 79 3d 20 64 6e 73 53 65 63 6f 6e 64 61 72 79 3d 20 64 6e 73 44 79 6e 61 6d 69 63 3d 20 72 65 62 6f 6f 74 69 6e 66 6f 2e 63 67 69 --------- Hex Payload End ----------- ^\/\?\d(?:[A-Za-z0-9~_]{4})*(?:[A-Za-z0-9~_]{2}--|[A-Za-z0-9~_]{3}-|[A-Za-z0-9~_]{4})$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/?0"; |---------------------| Building Rule: 2019113 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a 20 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 0d 0a --------- Hex Payload End ----------- ^\/UID\d+\.jsp\? uricontent:"/UID0.jsp?"; |---------------------| Building Rule: 2019114 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a --------- Hex Payload End ----------- \/\d{5}\/(?P<s1>[a-z]{3})[a-z]\.php\?(?P=s1)_id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/00000/aaaa.php?_id="; |---------------------| Building Rule: 2019115 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019117 -------- Hex Payload Start ---------- 57 79 39 47 62 43 41 76 52 6d 78 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019118 -------- Hex Payload Start ---------- 4c 30 5a 73 49 43 39 47 62 46 30 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019119 -------- Hex Payload Start ---------- 49 46 73 76 52 6d 77 67 4c 30 5a 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019120 Protocol Not Supported |---------------------| Building Rule: 2019121 Protocol Not Supported |---------------------| Building Rule: 2019122 Protocol Not Supported |---------------------| Building Rule: 2019123 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 10 65 72 68 69 74 6e 77 66 76 70 67 61 6a 66 62 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019124 -------- Hex Payload Start ---------- 65 72 68 69 74 6e 77 66 76 70 67 61 6a 66 62 75 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern:only; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019126 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- [a-z]\d{2}$ uricontent:"a00"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Bapy.Downloader PE Download Request"; flow:established,to_server; content:"GET"; http_method; urilen:9; content:"/tmps."; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; uricontent:"a00"; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c; classtype:trojan-activity; sid:2019127; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019128 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019130 -------- Hex Payload Start ---------- 7b 72 65 74 75 72 6e 20 75 6e 65 73 63 61 70 65 20 3e 3e 38 26 32 35 35 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a 20 29 5e 32 35 35 26 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019131 -------- Hex Payload Start ---------- 25 36 35 25 36 34 25 36 66 25 34 33 25 37 32 25 36 31 25 36 38 25 34 33 25 36 64 25 36 66 25 37 32 25 36 36 20 25 37 34 25 34 31 25 36 35 25 36 34 25 36 66 25 34 33 25 37 32 25 36 31 25 36 38 25 36 33 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019135 Protocol Not Supported |---------------------| Building Rule: 2019136 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 29 20 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 7a 68 2d 63 6e 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WP CuckooTap Arbitrary File Download"; flow:established,to_server; content:"/wp-admin/admin-ajax.php"; http_uri; content:"action=revslider_show_image"; http_uri; content:"img=|2e 2e 2f|"; http_raw_uri; reference:url,exploit-db.com/exploits/34511/; classtype:web-application-attack; sid:2019137; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Poweliks GET Request"; flow:established,to_server; content:"GET"; http_method; urilen:4; content:"/dll"; http_uri; fast_pattern:only; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/01/index3.html; classtype:trojan-activity; sid:2019138; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019140 -------- Hex Payload Start ---------- 47 45 54 20 20 6d 61 78 6d 69 6e 64 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019139 -------- Hex Payload Start ---------- 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n] NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"a9.9.9.9 a "; |---------------------| Building Rule: 2019142 -------- Hex Payload Start ---------- 0d 0a 0d 0a 39 2e 39 2e 39 2e 39 20 20 61 39 2e 39 2e 39 2e 39 20 61 0d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019144 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- ^\/[a-f0-9]{50,}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2019145 -------- Hex Payload Start ---------- 47 45 54 20 50 72 6f 78 79 2d 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 2e 20 3a 20 48 6f 73 74 3a 20 73 74 61 6e 2e --------- Hex Payload End ----------- \/k\?t[a-z]*=\d{5,}$ uricontent:"/k?t=00000"; |---------------------| Building Rule: 2019146 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019147 Protocol Not Supported |---------------------| Building Rule: 2019148 Protocol Not Supported |---------------------| Building Rule: 2019149 Protocol Not Supported |---------------------| Building Rule: 2019150 Protocol Not Supported |---------------------| Building Rule: 2019151 Protocol Not Supported |---------------------| Building Rule: 2019152 Protocol Not Supported |---------------------| Building Rule: 2019153 Protocol Not Supported |---------------------| Building Rule: 2019154 -------- Hex Payload Start ---------- 20 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019155 -------- Hex Payload Start ---------- 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 43 6c 6f 73 65 20 48 6f 73 74 3a 20 77 69 6e 64 6f 77 73 75 70 64 61 74 65 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 0d 0a 20 20 20 2e --------- Hex Payload End ----------- ^\/[\w-]{50,}$ uricontent:"/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2019156 -------- Hex Payload Start ---------- 47 45 54 20 48 6f 73 74 3a 20 6b 79 6c 65 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webmin Directory Traversal"; flow:to_server,established; content:"POST"; http_method; content:"/save_env.cgi"; http_uri; fast_pattern:only; content:"&user="; http_client_body; content:"|2e 2e 2f|"; distance:0; http_client_body; reference:url,sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/; classtype:misc-attack; sid:2019157; rev:3;) Parser failed - skipping rule \/invoice[^\/]*?\.exe$ uricontent:"/invoice.exe"; |---------------------| Building Rule: 2019158 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Stobox Connectivity Check"; flow:established,to_server; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; http_uri; fast_pattern:28,20; content:"Host|3a 20|update.microsoft.com|0d 0a|"; http_header; depth:28; content:!"Accept-Language|3a|"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"|0d 0a 0d 0a|"; threshold: type both, count 5, seconds 300, track by_src; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2019159 -------- Hex Payload Start ---------- 55 53 45 52 20 75 73 65 72 20 64 72 75 70 61 6c 7a 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019160 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019161 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 44 65 63 65 62 61 6c 76 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JackPOS XOR Encoded HTTP Client Body (key AA)"; flow:established,to_server; content:"|AB AB|"; depth:2; http_client_body; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; http_client_body; fast_pattern:only; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019164; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Banload Downloading Executable"; flow:established,from_server; flowbits:isset,ET.autoit.ua; content:"Content-Type|3a 20|image/"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,838ab7aacac590ea2e170888b2502a63; classtype:trojan-activity; sid:2019165; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019171 -------- Hex Payload Start ---------- 00 20 20 20 10 27 60 ea 4c 69 6e 75 78 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019169 -------- Hex Payload Start ---------- 0d 0a 0d 0a 64 b4 dc a4 --------- Hex Payload End ----------- \/1(?:3[89]\d{7}|4\d{8})\.xap$ uricontent:"/1.xap"; |---------------------| Building Rule: 2019167 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019173 Protocol Not Supported |---------------------| Building Rule: 2019174 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019175 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\d content:"0"; type both, count 1, seconds 30, track by_src |---------------------| Building Rule: 2019177 -------- Hex Payload Start ---------- 49 4e 46 4f 3a 20 30 25 7c --------- Hex Payload End ----------- ^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$ Parser failed - skipping rule |---------------------| Building Rule: 2019178 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Spy.RapidStealer.B Checkin"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/key/index.php"; http_uri; fast_pattern:only; content:"dir="; depth:4; http_client_body; content:"&data="; distance:0; http_client_body; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,c14690b90459744a300a02f45b32168a; reference:url,quequero.org/2014/09/win32-blackberrybbc-malware-analysis/; classtype:trojan-activity; sid:2019179; rev:2;) Parser failed - skipping rule ^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$ NOT IMPL Groupref content:""#")==-1){document.cookie="=#"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; content:"|0d 0a 0d 0a|"; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; content:""#")==-1){document.cookie="=#"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:trojan-activity; sid:2019180; rev:5;) Parser failed - skipping rule ^[a-f0-9] content:"a"; |---------------------| Building Rule: 2019181 Error here within! -------- Hex Payload Start ---------- 5c 75 30 30 30 20 61 20 6a 61 76 61 73 63 72 69 70 74 3a --------- Hex Payload End ----------- ^[\r\n\s]*?\x28[\r\n\s]*?base64_decode content:"(base64_decode"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP POST Generic eval of base64_decode"; flow:established,to_server; content:"base64_decode"; nocase; http_client_body; fast_pattern:only; content:"eval"; nocase; content:"(base64_decode"; classtype:trojan-activity; sid:2019182; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019183 -------- Hex Payload Start ---------- 41 67 43 6f 6e 74 72 6f 6c 2e 41 67 43 6f 6e 74 72 6f 6c 20 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 2e 69 6e 64 65 78 4f 66 28 22 78 61 70 22 29 20 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019184 -------- Hex Payload Start ---------- 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c 50 4b 20 69 66 72 61 6d 65 2e 64 6c 6c 50 4b --------- Hex Payload End ----------- ^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29 Parser failed - skipping rule |---------------------| Building Rule: 2019186 Protocol Not Supported |---------------------| Building Rule: 2019187 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 0d 0a 80 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019188 -------- Hex Payload Start ---------- 76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b --------- Hex Payload End ----------- ^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/a/1400000000.htm"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; uricontent:"/a/1400000000.htm"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019189; rev:2;) Parser failed - skipping rule ^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:""+"cov.br,"; |---------------------| Building Rule: 2019190 -------- Hex Payload Start ---------- 46 69 6e 64 50 72 6f 78 79 46 6f 72 55 52 4c 22 50 52 4f 58 59 20 22 2b 22 63 6f 76 2e 62 72 2c --------- Hex Payload End ----------- ^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9]) content:"#\x"; |---------------------| Building Rule: 2019191 -------- Hex Payload Start ---------- 46 69 6e 64 50 72 6f 78 79 46 6f 72 55 52 4c 20 72 65 74 75 72 6e 20 22 50 52 4f 58 59 20 00 5c 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019192 Protocol Not Supported ^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E content:"a*/"oft."; |---------------------| Building Rule: 2019193 -------- Hex Payload Start ---------- 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 4d 69 63 72 6f 73 22 2b 2f 2a 20 61 2a 2f 22 6f 66 74 2e --------- Hex Payload End ----------- &dr=\d+$ uricontent:"&dr=0"; |---------------------| Building Rule: 2019194 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- &nrk=\d+$ uricontent:"&nrk=0"; |---------------------| Building Rule: 2019195 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019196 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NewPosThings Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"cs="; http_client_body; content:"&p="; http_client_body; content:"&m="; http_client_body; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019197; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NewPosThings Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"cs="; http_client_body; content:"&m="; http_client_body; content:"&ls="; http_client_body; reference:md5,4196c67648003a18f61573a77b6d3be6; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019198; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019199 Error here depth! -------- Hex Payload Start ---------- 50 4f 53 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 62 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 29 20 41 63 63 65 70 74 3a 20 3f 2a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019200 Protocol Not Supported |---------------------| Building Rule: 2019205 Protocol Not Supported |---------------------| Building Rule: 2019206 Protocol Not Supported |---------------------| Building Rule: 2019207 -------- Hex Payload Start ---------- 01 00 00 00 00 00 00 f4 01 00 00 32 00 00 00 e8 03 01 01 02 00 00 00 01 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019208 -------- Hex Payload Start ---------- 08 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 e8 fd 00 00 --------- Hex Payload End ----------- \/14\d{8}(?:\.pdf)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/1400000000"; |---------------------| Building Rule: 2019209 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Neutrino ping"; flow:to_server,established; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"ping=1|0a|"; depth:7; http_client_body; fast_pattern; content:"Content-Length|3a 20|7|0d 0a|"; nocase; http_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2019211; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET TROJAN Bossabot DDoS tool RFI attempt"; flow:to_server,established; content:"POST"; http_method; content:"php?-d|20|allow_url"; http_uri; fast_pattern; content:"auto_prepend_file|3d|php|3a 2f|"; http_uri; content:"<?php|0d 0a|"; depth:7; http_client_body; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823; classtype:trojan-activity; sid:2019212; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019213 Protocol Not Supported [^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12 content:"##@#"; |---------------------| Building Rule: 2019202 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 12 12 20 12 20 20 12 12 20 12 20 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 20 00 00 40 12 --------- Hex Payload End ----------- [^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33 content:"###3"; |---------------------| Building Rule: 2019203 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 33 33 20 33 20 20 33 33 20 33 20 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 20 00 00 00 33 --------- Hex Payload End ----------- [^\x18][^\x44\x32\x33\x25\x64\x22\x23\x3a\x27\x24\x26\x34\x3b\x12][\x20\x21\x28-\x2f\x70-\x77\x79-\x7f\x60-\x63\x65\x66\x67-\x6f\x50-\x5f\x40-\x42\x46-\x4f\x30\x31\x35\x36\x38\x3e\x39\x3b]{1,14}\x18 content:"## #"; |---------------------| Building Rule: 2019204 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 18 18 20 18 20 20 18 18 20 18 20 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 20 00 00 20 18 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019214 -------- Hex Payload Start ---------- 20 20 ff d8 ff e0 00 10 4a 46 49 46 20 00 43 41 50 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019215 -------- Hex Payload Start ---------- 00 4d 49 43 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019216 -------- Hex Payload Start ---------- 00 4d 53 47 7c 27 7c 27 7c 20 45 78 65 63 75 74 65 64 20 41 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019217 -------- Hex Payload Start ---------- 00 72 73 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019218 -------- Hex Payload Start ---------- 00 73 72 76 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019219 -------- Hex Payload Start ---------- 00 52 47 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019220 -------- Hex Payload Start ---------- 00 70 72 6f 63 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019221 -------- Hex Payload Start ---------- 00 66 6d 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019222 -------- Hex Payload Start ---------- 00 6b 6c 7c 27 7c 27 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019224 -------- Hex Payload Start ---------- 45 78 70 69 72 65 73 3a 20 53 61 74 2c 20 32 36 20 4a 75 6c 20 31 39 39 37 20 30 35 3a 30 30 3a 30 30 20 47 4d 54 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 53 61 74 2c 20 32 36 20 4a 75 6c 20 32 30 34 30 20 30 35 3a 30 30 3a 30 30 20 47 4d 54 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019225 Protocol Not Supported ^\s*?[A-Z0-9a-z\+]+?\s*?\x7d content:"A}"; |---------------------| Building Rule: 2019226 -------- Hex Payload Start ---------- 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 43 3a 5c 52 6f 63 6b 2e 70 6e 67 20 7b 72 65 74 75 72 6e 20 41 7d 20 7d 66 75 6e 63 74 69 6f 6e 20 3b 66 75 6e 63 74 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019227 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SoftPulse.H Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/__dmp__/"; http_uri; fast_pattern:only; content:"data={"; depth:6; http_client_body; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:trojan-activity; sid:2019228; rev:3;) Parser failed - skipping rule ^\x2d?\d content:"0"; |---------------------| Building Rule: 2019229 -------- Hex Payload Start ---------- 63 6e 67 61 6d 65 61 6e 74 69 7c 20 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^[a-z]{12} content:"aaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; content:"aaaaaaaaaaaa"; threshold: type both, track by_src, count 50, seconds 10; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:1;) Parser failed - skipping rule [=?&\x2f]\s*?\x28\x29\x20\x7b uricontent:"=()%20{"; |---------------------| Building Rule: 2019231 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019232 -------- Hex Payload Start ---------- 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019235 -------- Hex Payload Start ---------- 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^[^\s]+\s+[^\s]+\s+\x28\x29\x20\x7b[^\r\n]*?\r?$ content:"# # () {"; |---------------------| Building Rule: 2019236 -------- Hex Payload Start ---------- 20 28 29 20 7b 20 00 20 00 20 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019237 -------- Hex Payload Start ---------- 02 01 20 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019239 -------- Hex Payload Start ---------- 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019240 Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019243 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019244 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 20 7b 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019245 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 20 7b 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019246 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 20 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019247 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 20 25 37 62 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019248 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 25 32 30 7b 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019249 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 25 32 30 7b 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019250 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 25 32 30 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019251 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 39 25 32 30 25 37 62 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019252 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 20 7b 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019253 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 20 7b 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019254 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 20 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019255 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 20 25 37 62 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019256 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 30 7b 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019257 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 30 7b 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019258 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 30 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019259 Error here within! -------- Hex Payload Start ---------- 3f 20 25 32 38 25 32 30 25 37 62 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019260 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 20 7b 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019261 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 20 7b 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019262 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 20 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019263 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 20 25 37 62 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019264 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 25 32 30 7b 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019265 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 25 32 30 7b 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019266 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 25 32 30 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019267 Error here within! -------- Hex Payload Start ---------- 3f 20 28 25 32 39 25 32 30 25 37 62 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019268 Error here within! -------- Hex Payload Start ---------- 3f 20 28 29 20 7b 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019269 Error here within! -------- Hex Payload Start ---------- 3f 20 28 29 20 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019270 Error here within! -------- Hex Payload Start ---------- 3f 20 28 29 20 25 37 62 25 32 30 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019271 Error here within! -------- Hex Payload Start ---------- 3f 20 28 29 25 32 30 7b 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019272 Error here within! -------- Hex Payload Start ---------- 3f 20 28 29 25 32 30 25 37 62 20 --------- Hex Payload End ----------- [\?\=\x3a\s\x2f] content:"?"; |---------------------| Building Rule: 2019273 Error here within! -------- Hex Payload Start ---------- 3f 20 28 29 25 32 30 25 37 62 25 32 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019275 Protocol Not Supported |---------------------| Building Rule: 2019276 Protocol Not Supported |---------------------| Building Rule: 2019277 Protocol Not Supported |---------------------| Building Rule: 2019278 Protocol Not Supported ^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$ content:" "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019279 Protocol Not Supported |---------------------| Building Rule: 2019280 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BlackEnergy v2 POST Request"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&dv="; http_client_body; content:"&dpv="; http_client_body; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,948cd0bf83a670c05401c8b67d2eb310; classtype:trojan-activity; sid:2019281; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019282 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BlackEnergy POST Request"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; depth:3; http_client_body; content:"&bid="; distance:0; http_client_body; fast_pattern; content:"&t="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,72372ffac0ee73dc8b6d237878e119c1; classtype:trojan-activity; sid:2019283; rev:2;) Parser failed - skipping rule ^\d+[^\r\n\s]+ content:"0#"; Unsupported keyword! Error parsing rule contents alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; content:"0#"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019285 -------- Hex Payload Start ---------- 2f 64 65 76 2f 74 63 70 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2019286 -------- Hex Payload Start ---------- 47 45 54 20 20 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 55 62 75 6e 74 75 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 3b 20 72 76 3a 31 35 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 31 35 2e 30 2e 31 --------- Hex Payload End ----------- ^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head> NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:"(","container","10","10","9.0.0",false,flashvars,params,attributes);</script></head>"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Job314 EK Landing"; flow:established,from_server; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern:only; content:"swfobject.embedSWF"; nocase; content:"(","container","10","10","9.0.0",false,flashvars,params,attributes);</script></head>"; classtype:trojan-activity; sid:2019287; rev:4;) Parser failed - skipping rule ^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$ Parser failed - skipping rule |---------------------| Building Rule: 2019289 -------- Hex Payload Start ---------- 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019290 -------- Hex Payload Start ---------- 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019291 -------- Hex Payload Start ---------- 28 29 0a 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019292 -------- Hex Payload Start ---------- 28 29 0d 0a 20 7b --------- Hex Payload End ----------- ^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b content:"mailfrom:() {"; |---------------------| Building Rule: 2019293 -------- Hex Payload Start ---------- 28 29 20 7b 20 6d 61 69 6c 66 72 6f 6d 3a 28 29 20 7b --------- Hex Payload End ----------- My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A content:"My IP: 0.0.0.0 "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019295 -------- Hex Payload Start ---------- 21 20 47 45 54 4c 4f 43 41 4c 49 50 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019296 -------- Hex Payload Start ---------- 21 20 50 49 4e 47 0a --------- Hex Payload End ----------- \x21\x20SCANNER\x20(ON|OFF)\x0A content:" SCANNER ON "; |---------------------| Building Rule: Protocol Not Supported ^[^\r\n]+?\n$ content:"# "; |---------------------| Building Rule: Protocol Not Supported \x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3} content:" JUNK 0.0.0.0"; |---------------------| Building Rule: 2019299 -------- Hex Payload Start ---------- 21 20 4a 55 4e 4b 20 20 21 20 4a 55 4e 4b 20 30 2e 30 2e 30 2e 30 --------- Hex Payload End ----------- \x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3} content:" UDP 0.0.0.0"; |---------------------| Building Rule: 2019300 -------- Hex Payload Start ---------- 21 20 55 44 50 20 20 21 20 55 44 50 20 30 2e 30 2e 30 2e 30 --------- Hex Payload End ----------- \x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3} content:" TCP 0.0.0.0"; |---------------------| Building Rule: 2019301 -------- Hex Payload Start ---------- 21 20 54 43 50 20 20 21 20 54 43 50 20 30 2e 30 2e 30 2e 30 --------- Hex Payload End ----------- \x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3} content:" HOLD 0.0.0.0"; |---------------------| Building Rule: 2019302 -------- Hex Payload Start ---------- 21 20 48 4f 4c 44 20 20 21 20 48 4f 4c 44 20 30 2e 30 2e 30 2e 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019303 -------- Hex Payload Start ---------- 21 20 4b 49 4c 4c 41 54 54 4b 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019304 -------- Hex Payload Start ---------- 21 20 4c 4f 4c 4e 4f 47 54 46 4f 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019305 Protocol Not Supported |---------------------| Building Rule: 2019306 Protocol Not Supported |---------------------| Building Rule: 2019307 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\d+&w=\d+&ua=.+&e=1$ uricontent:"0&w=0&ua=0&e=1"; |---------------------| Building Rule: 2019311 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019312 -------- Hex Payload Start ---------- 0a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019313 -------- Hex Payload Start ---------- 0a c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019314 -------- Hex Payload Start ---------- 2f 64 65 76 2f 75 64 70 2f --------- Hex Payload End ----------- ^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28 NOT IMPL not _simple(av) in REPEATING CODES content:" ("substr")("; |---------------------| Building Rule: 2019315 -------- Hex Payload Start ---------- 28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29 20 72 65 74 75 72 6e 20 20 28 22 73 75 62 73 74 72 22 29 28 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019316 Protocol Not Supported |---------------------| Building Rule: 2019317 Protocol Not Supported |---------------------| Building Rule: 2019318 -------- Hex Payload Start ---------- 43 6c 69 65 6e 74 49 6e 66 6f 69 73 57 69 66 69 63 70 75 49 6e 66 6f 66 69 72 73 74 4f 6e 6c 69 6e 65 49 70 66 69 72 73 74 4f 6e 6c 69 6e 65 54 69 6d 65 69 6d 65 69 69 70 41 64 64 72 70 68 6f 6e 65 42 72 61 6e 64 70 68 6f 6e 65 4e 75 6d 62 65 72 73 69 6d 4f 70 65 72 61 74 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019319 Protocol Not Supported |---------------------| Building Rule: 2019320 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST"; flow:established,to_server; content:"POST"; http_method; content:"h="; http_client_body; depth:3; content:"w="; http_client_body; within:8; content:"ua="; http_client_body; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019321; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019322 -------- Hex Payload Start ---------- 20 20 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019323 -------- Hex Payload Start ---------- 20 20 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019324 -------- Hex Payload Start ---------- 64 61 74 61 3a 20 62 61 73 65 36 34 2c 55 45 73 44 42 --------- Hex Payload End ----------- ^[^\r\n]{0,7}\b(?:M[ACDEFGHKLMNOPQRSTUVWXYZ]|B[ABDEFGHIJLMNOQRSTVWYZ]|S[ABCDEGHIJKLMNORSTVXYZ]|C[ACDFGHIKLMNORUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|A[DEFGILMOQRSTUWXZ]|T[CDFGHJKLMNORTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRUZ]|K[EGHIMNPRWYZ]|L[ABCIKRSTUVY]|I[DELMNOQRST]|E[CEGHRST]|V[ACEGINU]|D[EJKMOZ]|F[IJKMOR]|H[KMNRTU]|U[AGMSYZ]|R[EOSUW]|J[EMOP]|Z[AMW]|W[FS]|Y[ET]|OM|QA)\b content:""; |---------------------| Building Rule: 2019326 -------- Hex Payload Start ---------- 4e 49 43 4b 20 --------- Hex Payload End ----------- ^[^\r\n]{0,7}\b(?:M(?:A[CFR]|D[AGV]|N[EGP]|L[IT]|Y[ST]|[MS]R|CO|EX|HL|KD|OZ|RT|TQ|US|WI)|S(?:L[BEV]|[DEH]N|[JOP]M|G[PS]|V[KN]|W[EZ]|Y[CR]|[MU]R|AU|RB|SD|TP)|B(?:L[MRZ]|R[ABN]|E[LN]|G[DR]|H[RS]|[FW]A|DI|IH|MU|OL|TN|VT)|C(?:O[DGKLM]|H[ELN]|A[FN]|Y[MP]|[IP]V|[MX]R|CK|RI|UB|ZE)|A(?:R[EGM]|T[AFG]|L[AB]|N[DT]|U[ST]|BW|FG|GO|IA|SM|ZE)|G(?:R[CDL]|U[FMY]|I[BN]|N[BQ]|[AM]B|BR|EO|GY|HA|LP|TM)|T(?:U[NRV]|C[AD]|K[LM]|[GT]O|[HZ]A|[OW]N|JK|LS)|P(?:R[IKTY]|A[KN]|[HO]L|CN|ER|LW|NG|SE|YF)|N(?:[CPZ]L|I[CU]|[EO]R|AM|FK|GA|LD|RU)|L(?:B[NRY]|[CKV]A|[AS]O|IE|TU|UX)|I(?:R[LNQ]|S[LR]|[DM]N|ND|OT|TA)|K(?:[AG]Z|[IO]R|EN|HM|NA|WT)|E(?:S[HPT]|CU|GY|RI|TH)|V(?:[ACU]T|EN|GB|IR|NM)|D(?:[MZ]A|EU|JI|NK|OM)|F(?:R[AO]|IN|JI|LK|SM)|H(?:[MN]D|KG|RV|TI|UN)|U(?:[GS]A|KR|MI|RY|ZB)|J(?:AM|EY|OR|PN)|R(?:[EO]U|US|WA)|Z(?:AF|MB|WE)|W(?:LF|SM)|OMN|QAT|YEM)\b content:""; |---------------------| Building Rule: 2019327 -------- Hex Payload Start ---------- 4e 49 43 4b 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019328 Protocol Not Supported |---------------------| Building Rule: 2019329 Protocol Not Supported |---------------------| Building Rule: 2019330 Protocol Not Supported |---------------------| Building Rule: 2019331 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019332 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019333 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019335 -------- Hex Payload Start ---------- 28 29 20 7b 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019337 Protocol Not Supported |---------------------| Building Rule: 2019338 -------- Hex Payload Start ---------- 5c 78 34 33 5c 78 36 66 5c 78 36 63 5c 78 36 63 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 34 37 5c 78 36 31 5c 78 37 32 5c 78 36 32 5c 78 36 31 5c 78 36 37 5c 78 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019339 -------- Hex Payload Start ---------- 25 34 33 25 36 66 25 36 63 25 36 63 25 36 35 25 36 33 25 37 34 25 34 37 25 36 31 25 37 32 25 36 32 25 36 31 25 36 37 25 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019340 Protocol Not Supported ^\/blog\/[a-z0-9]+$ uricontent:"/blog/a"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cryptowall 2.0 DL URI Struct Oct 2 2014"; flow:to_server,established; content:"GET"; http_method; content:"/blog/"; http_uri; depth:6; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; uricontent:"/blog/a"; pcre:"/^User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a11\.0)[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019341; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019342 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2;) Parser failed - skipping rule ^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019354 -------- Hex Payload Start ---------- 3a 69 72 63 2d 73 69 6e 6b 68 6f 6c 65 2e 63 65 72 74 2e 70 6c 20 3a 45 6e 64 20 6f 66 20 4d 4f 54 44 20 63 6f 6d 6d 61 6e 64 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019355 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019357 -------- Hex Payload Start ---------- 0d 0a 0d 0a 7b 22 71 75 65 72 79 22 3a 22 74 61 73 6b 73 22 3a 22 72 65 66 65 72 65 72 22 3a 22 75 73 65 72 61 67 65 6e 74 22 3a 22 63 6c 69 63 6b 75 72 6c 22 3a --------- Hex Payload End ----------- \/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/1400000000"; |---------------------| Building Rule: 2019358 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019360 Protocol Not Supported |---------------------| Building Rule: 2019361 Protocol Not Supported |---------------------| Building Rule: 2019363 Protocol Not Supported |---------------------| Building Rule: 2019364 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt Client Body"; flow:to_server,established; content:"/token.cgi"; http_uri; nocase; content:"&realname=login_name"; http_client_body; nocase; fast_pattern:only; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019365; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2019366 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 32 44 6f 77 6e 6c 6f 61 64 7a 2e 63 6f 6d 20 41 67 65 6e 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019367 -------- Hex Payload Start ---------- 44 65 74 65 63 74 46 6c 61 73 68 46 6f 72 4d 53 49 45 28 29 20 44 65 74 65 63 74 50 64 66 46 6f 72 4d 53 49 45 28 29 20 68 74 74 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019368 -------- Hex Payload Start ---------- 23 64 65 66 61 75 6c 74 23 56 4d 4c 20 64 77 6f 72 64 32 64 61 74 61 20 6c 6f 63 61 6c 68 6f 73 74 20 2e 73 77 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019369 -------- Hex Payload Start ---------- 5c 78 33 63 5c 78 36 34 5c 78 36 39 5c 78 37 36 5c 78 32 30 5c 78 36 39 5c 78 36 34 5c 78 33 64 5c 78 32 32 5c 78 36 63 5c 78 36 66 5c 78 36 63 5c 78 32 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019370 -------- Hex Payload Start ---------- 31 37 37 36 5f 63 6f 6e 63 61 74 2e 73 77 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019371 -------- Hex Payload Start ---------- 53 68 61 72 65 50 6f 69 6e 74 2e 4f 70 65 6e 44 6f 63 75 6d 65 6e 74 73 2e 33 20 53 68 61 72 65 50 6f 69 6e 74 2e 4f 70 65 6e 44 6f 63 75 6d 65 6e 74 73 2e 34 20 3a 41 4e 49 4d 41 54 45 43 4f 4c 4f 52 20 20 6d 73 2d 68 65 6c 70 3a 2f 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2019372 Error here within! -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29 75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29 20 75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28 20 20 20 20 2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 --------- Hex Payload End ----------- ^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+ NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"0.___+._$$+._$+(![]+"")[._$_]+(![]+"")[._$_]+.$$$_+.$$__+.__+"\\"+.__$+.___+.$$$+.$_$_+"\\"+.__$+.$$_+._$_+.$_$$+.$_$_+"\\"+.__$+.$__+.$$$+.$$$_+"; |---------------------| Building Rule: 2019373 -------- Hex Payload Start ---------- 2e 5f 5f 24 2b 20 30 2e 5f 5f 5f 2b 2e 5f 24 24 2b 2e 5f 24 2b 28 21 5b 5d 2b 22 22 29 5b 2e 5f 24 5f 5d 2b 28 21 5b 5d 2b 22 22 29 5b 2e 5f 24 5f 5d 2b 2e 24 24 24 5f 2b 2e 24 24 5f 5f 2b 2e 5f 5f 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 5f 5f 5f 2b 2e 24 24 24 2b 2e 24 5f 24 5f 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 24 24 5f 2b 2e 5f 24 5f 2b 2e 24 5f 24 24 2b 2e 24 5f 24 5f 2b 22 5c 5c 22 2b 2e 5f 5f 24 2b 2e 24 5f 5f 2b 2e 24 24 24 2b 2e 24 24 24 5f 2b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019374 -------- Hex Payload Start ---------- 5c 78 37 36 5c 78 36 31 5c 78 37 32 5c 78 32 30 5c 78 37 33 5c 78 37 34 5c 78 37 32 5c 78 33 64 5c 78 37 35 5c 78 36 65 5c 78 36 35 5c 78 37 33 5c 78 36 33 5c 78 36 31 5c 78 37 30 5c 78 36 35 5c 78 32 38 5c 78 32 32 5c 78 32 35 5c 78 37 35 5c 78 33 31 5c 78 33 34 5c 78 33 31 5c 78 33 34 5c 78 32 35 5c 78 37 35 5c 78 33 31 5c 78 33 34 5c 78 33 31 5c 78 33 34 5c 78 32 32 5c 78 32 39 5c 78 33 62 --------- Hex Payload End ----------- ^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"#[#]+[+1]),16)^parseInt((#[]+[+1]),16));+=2;"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; content:"String.fromCharCode(parseInt|28 28|"; content:"#[#]+[+1]),16)^parseInt((#[]+[+1]),16));+=2;"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:trojan-activity; sid:2019375; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2019376 Protocol Not Supported ^(?:\/\w{3,12}){2,4}\?[a-z]{3,12}=(?:[A-Za-z0-9+/\x20]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"?aaa="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Ursnif Checkin"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Length|3a 20|2|0d 0a|Connection|3a 20|"; fast_pattern:10,20; http_header; content:!"Referer|3a|"; http_header; content:"no-cache|0d 0a 0d 0a 0d 0a|"; isdataat:!1,relative; uricontent:"?aaa="; reference:md5,dfeaae9cb1bc24ac467411955e48483b; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019377; rev:5;) Parser failed - skipping rule ^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaa.php?aaa="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:100<>325; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"/index.php"; http_uri; uricontent:"/aaa.php?aaa="; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019378; rev:8;) Parser failed - skipping rule ^\x2f[a-zA-Z]{4,}\x2ephp\x3f[a-zA-Z]{2,10}\x3d(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaaa.php?aa="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/PSW.Papras.CK file upload"; flow:established,to_server; content:"POST"; http_method; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern:6,20; http_client_body; uricontent:"/aaaa.php?aa="; reference:md5,5e7cbe7e62a6c5de45092ad0c4852d1a; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019379; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi/Ursnif/Papras Connectivity Check"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/usdeclar.txt"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,5f3530edbe1fce44e05ad0c96e54efb4; reference:md5,279fc5e6181d58f883a15d5089ce541b; reference:url,krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019380; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Ursnif Connectivity Check"; flow:established,to_server; content:"GET"; http_method; urilen:21; content:"/proto/netstrings.txt"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9134651a7c642798414d867874bdfe2f; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019381; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019382 Protocol Not Supported ^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n content:" "; |---------------------| Building Rule: Protocol Not Supported \/\d\.php\?sid=[0-9A-F]{32}$ uricontent:"/0.php?sid=00000000000000000000000000000000"; |---------------------| Building Rule: 2019384 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3a --------- Hex Payload End ----------- debugenableplugins=[a-zA-Z0-9]+?\x3b uricontent:"debugenableplugins=a;"; |---------------------| Building Rule: 2019385 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019387 Protocol Not Supported |---------------------| Building Rule: 2019388 Protocol Not Supported ^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b content:"a:() {"; |---------------------| Building Rule: 2019389 -------- Hex Payload Start ---------- 28 29 20 7b 20 61 3a 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019390 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 --------- Hex Payload End ----------- ^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D uricontent:"/search/?aa="; |---------------------| Building Rule: 2019391 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019392 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019393 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019394 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019395 -------- Hex Payload Start ---------- 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 20 37 45 42 45 46 42 43 30 2d 33 32 30 30 2d 31 31 64 32 2d 42 34 43 32 2d 30 30 41 30 43 39 36 39 37 44 31 37 20 43 6c 61 73 73 47 75 69 64 20 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019396 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0b 73 65 72 76 65 72 34 6c 6f 76 65 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019397 -------- Hex Payload Start ---------- 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 52 00 75 00 6e 00 20 37 00 45 00 42 00 45 00 46 00 42 00 43 00 30 00 2d 00 33 00 32 00 30 00 30 00 2d 00 31 00 31 00 64 00 32 00 2d 00 42 00 34 00 43 00 32 00 2d 00 30 00 30 00 41 00 30 00 43 00 39 00 36 00 39 00 37 00 44 00 31 00 37 20 43 00 6c 00 61 00 73 00 73 00 47 00 75 00 69 00 64 00 20 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019398 -------- Hex Payload Start ---------- 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 20 37 45 42 45 46 42 43 30 2d 33 32 30 30 2d 31 31 64 32 2d 42 34 43 32 2d 30 30 41 30 43 39 36 39 37 44 31 37 20 43 6c 61 73 73 47 75 69 64 20 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019399 -------- Hex Payload Start ---------- 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 52 00 75 00 6e 00 20 37 00 45 00 42 00 45 00 46 00 42 00 43 00 30 00 2d 00 33 00 32 00 30 00 30 00 2d 00 31 00 31 00 64 00 32 00 2d 00 42 00 34 00 43 00 32 00 2d 00 30 00 30 00 41 00 30 00 43 00 39 00 36 00 39 00 37 00 44 00 31 00 37 20 43 00 6c 00 61 00 73 00 73 00 47 00 75 00 69 00 64 00 20 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 --------- Hex Payload End ----------- \?[a-z0-9]{32}$ uricontent:"?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2019400 -------- Hex Payload Start ---------- 47 45 54 20 20 48 6f 73 74 3a 20 77 77 77 2e 65 63 62 2e 65 75 72 6f 70 61 2e 65 75 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; content:" Java/1.8.0_"; http_header; content:!"51"; within:2; http_header; content:!"60"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2019401; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2019402 -------- Hex Payload Start ---------- 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019403 -------- Hex Payload Start ---------- 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019405 -------- Hex Payload Start ---------- 70 70 74 2f 65 6d 62 65 64 64 69 6e 67 73 2f 6f 6c 65 4f 62 6a 65 63 74 --------- Hex Payload End ----------- ^[A-Za-z0-9\/\+\x0D\x0A]+?B[\x0d\x0a]{0,2}w[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}C[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}z[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}s[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}U[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}j[\x0d\x0a]{0,2}d content:"ABwdC9lbWJlZGRpbmdzL29sZU9iamVjd"; |---------------------| Building Rule: 2019406 Protocol Not Supported ^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0 content:"AcHB0L2VtYmVkZGluZ3Mvb2xlT2JqZWN0"; |---------------------| Building Rule: 2019407 Protocol Not Supported ^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}Q[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}1[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}5[\x0d\x0a]{0,2}n[\x0d\x0a]{0,2}c[\x0d\x0a]{0,2}y[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}P[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}3 content:"AcHQvZW1iZWRkaW5ncy9vbGVPYmplY3"; |---------------------| Building Rule: 2019408 Protocol Not Supported |---------------------| Building Rule: 2019409 Protocol Not Supported |---------------------| Building Rule: 2019410 Protocol Not Supported |---------------------| Building Rule: 2019411 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019413 Protocol Not Supported |---------------------| Building Rule: 2019414 Protocol Not Supported type limit, track by_src, seconds 300, count 1 |---------------------| Building Rule: 2019415 -------- Hex Payload Start ---------- 16 03 00 --------- Hex Payload End ----------- type limit, track by_src, seconds 300, count 1 |---------------------| Building Rule: 2019416 -------- Hex Payload Start ---------- 16 03 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2019419 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2019421 -------- Hex Payload Start ---------- 77 6f 71 75 6e 69 6d 61 6c 65 67 65 62 69 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2} NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"#0aa"; |---------------------| Building Rule: 2019454 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 20 20 20 20 20 20 64 63 20 06 62 65 61 63 6f 6e 20 0e 30 61 61 --------- Hex Payload End ----------- ^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97 NOT IMPL not _simple(av) in REPEATING CODES content:"#dc978a97"; |---------------------| Building Rule: 2019455 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 20 20 20 20 20 64 63 39 37 38 61 39 37 20 05 61 6c 65 72 74 20 08 64 63 39 37 38 61 39 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019456 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/00/0000aaaa/aaaaaaaa"; |---------------------| Building Rule: 2019457 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 3a 20 57 69 6e 64 6f 77 73 20 4e 54 --------- Hex Payload End ----------- \/catalog\/\d{3,}$ uricontent:"/catalog/000"; |---------------------| Building Rule: 2019458 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 3a --------- Hex Payload End ----------- ^\/mod_jshoppi(?:-|ng|\/) uricontent:"/mod_jshoppi"; |---------------------| Building Rule: 2019459 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019460 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019461 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019462 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019463 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019464 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019465 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019466 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.KeyLogger.ODN Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:19; content:"/newage.txt"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019467; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Deputy Dog checkin"; flow:established,to_server; content:"agtid="; http_header; content:"08x"; http_client_body; reference:md5,70e87b2898333e11344b16a72183f8e9; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:trojan-activity; sid:2019469; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2019470 Protocol Not Supported |---------------------| Building Rule: 2019477 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \?action=(?:pld|exp)&exp= uricontent:"?action=&exp="; |---------------------| Building Rule: 2019479 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \?action=lnd$ uricontent:"?action=lnd"; |---------------------| Building Rule: 2019480 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F) content:":#"; |---------------------| Building Rule: 2019471 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 3a 00 --------- Hex Payload End ----------- ^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/A/A/A/A/A"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 1"; flow:established,to_server; content:"=1/"; http_uri; fast_pattern:only; uricontent:"/A/A/A/A/A"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019481; rev:2;) Parser failed - skipping rule ^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/A/A/A/A/A"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 2"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; uricontent:"/A/A/A/A/A"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:2;) Parser failed - skipping rule ^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/A/A/A/A/A"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 3"; flow:established,to_server; content:"=1/"; http_uri; fast_pattern:only; uricontent:"/A/A/A/A/A"; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019483; rev:2;) Parser failed - skipping rule ^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/A/A/A/A/A"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 4"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; uricontent:"/A/A/A/A/A"; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019484; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019485 Protocol Not Supported ^[^\r\n]*?(?:p[ao]rt|udp|c?tcp|http|d(?:ie|ownload)|mail|c?back|(?:msg|notice)?flood) content:""; |---------------------| Building Rule: 2019486 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019487 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019488 -------- Hex Payload Start ---------- 45 78 70 69 72 65 73 3a 20 53 61 74 2c 20 32 36 20 4a 75 6c 20 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 53 61 74 2c 20 32 36 20 4a 75 6c 20 32 30 34 30 20 30 35 3a 30 30 --------- Hex Payload End ----------- ^\s*?\n\s*?(?P<func>[^\x28\r\n\s]+)\s*?\(\s*?(?P<var>[^\+\x29]+)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+ NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:" #(#+# </script> <script> (+# </script> <script> (+"; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019490 Error here depth! -------- Hex Payload Start ---------- 20 80 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019491 Error here depth! -------- Hex Payload Start ---------- 20 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019492 Error here depth! -------- Hex Payload Start ---------- 20 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019493 Protocol Not Supported |---------------------| Building Rule: 2019494 Protocol Not Supported |---------------------| Building Rule: 2019495 Protocol Not Supported |---------------------| Building Rule: 2019496 Protocol Not Supported |---------------------| Building Rule: 2019497 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 2f 2a 0a 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 37 20 46 72 65 65 20 53 6f 66 74 77 61 72 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 68 74 74 70 3a 2f 2f 66 73 66 2e 6f 72 67 2f 0a 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 6f 6b 69 65 28 65 29 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/24x7Help.ScareWare CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api/client.asmx/SendData"; http_uri; content:"User-Agent|3A| mFramework HTTPGet"; http_header; fast_pattern:12,18; content:"CFG="; http_client_body; depth:4; content:"&Lng="; http_client_body; distance:0; content:"&sinst="; http_client_body; distance:0; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; classtype:trojan-activity; sid:2019498; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:5;) Parser failed - skipping rule =0[0-2](?:&\w+=[a-fA-F0-9]{8}){2}&\w+=[a-fA-F0-9]+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"=00&A=a"; |---------------------| Building Rule: 2019500 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 20 3a --------- Hex Payload End ----------- 0[0-2]0000[a-fA-F0-9]{16,}$ uricontent:"000000aaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2019501 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 20 3a --------- Hex Payload End ----------- \.asp\?M00=\d+$ uricontent:".asp?M00=0"; |---------------------| Building Rule: 2019502 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 43 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 29 0d 0a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019503 Protocol Not Supported |---------------------| Building Rule: 2019504 Protocol Not Supported |---------------------| Building Rule: 2019505 Protocol Not Supported |---------------------| Building Rule: 2019506 Protocol Not Supported |---------------------| Building Rule: 2019507 Protocol Not Supported |---------------------| Building Rule: 2019508 Error here within! -------- Hex Payload Start ---------- 00 01 00 01 20 20 20 20 00 04 a1 45 0d 2c 20 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019509 -------- Hex Payload Start ---------- 4a 53 54 20 50 65 72 6c 20 49 72 63 42 6f 74 20 2e --------- Hex Payload End ----------- &id=\d{15}$ uricontent:"&id=000000000000000"; |---------------------| Building Rule: 2019510 -------- Hex Payload Start ---------- 20 20 20 20 2e --------- Hex Payload End ----------- ^\/\?pcrc=[0-9]{7,10}$ uricontent:"/?pcrc=0000000"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:13<>18; content:"POST"; http_method; content:"/?pcrc="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; uricontent:"/?pcrc=0000000"; content:"0A0Czut"; depth:7; http_client_body; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:trojan-activity; sid:2019511; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2019512 Protocol Not Supported ^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2019513 -------- Hex Payload Start ---------- 78 2d 66 6c 61 73 68 2d 76 65 72 73 69 6f 6e 3a --------- Hex Payload End ----------- ^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2019514 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019515 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 69 65 6e 74 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019516 Protocol Not Supported |---------------------| Building Rule: 2019517 Protocol Not Supported |---------------------| Building Rule: 2019518 Protocol Not Supported |---------------------| Building Rule: 2019519 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 73 76 63 7a 32 35 65 33 6d 34 6d 77 6c 61 75 7a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019520 Protocol Not Supported |---------------------| Building Rule: 2019521 Protocol Not Supported |---------------------| Building Rule: 2019522 Protocol Not Supported |---------------------| Building Rule: 2019523 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019535 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019536 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- ^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})+ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2019537 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- ^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/.bin"; |---------------------| Building Rule: 2019538 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:""; |---------------------| Building Rule: 2019539 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019541 -------- Hex Payload Start ---------- 2f 2f 20 73 74 6f 70 20 66 6f 72 20 73 6f 6d 65 74 69 6d 65 20 69 66 20 6e 65 65 64 65 64 --------- Hex Payload End ----------- \/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,11}$ Parser failed - skipping rule ^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaaa.php?aaaa=0"; |---------------------| Building Rule: 2019544 -------- Hex Payload Start ---------- 20 74 20 74 20 2e --------- Hex Payload End ----------- ^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/a/?ai=#####"; |---------------------| Building Rule: 2019545 -------- Hex Payload Start ---------- 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019546 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 61 64 61 77 61 72 65 62 6c 6f 63 6b 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019547 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 61 64 6f 62 65 69 6e 63 6f 72 70 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019548 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 61 7a 75 72 65 6f 6e 2d 6c 69 6e 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019564 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 61 64 61 77 61 72 65 62 6c 6f 63 6b 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019565 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 61 64 6f 62 65 69 6e 63 6f 72 70 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019549 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 63 68 65 63 6b 6d 61 6c 77 61 72 65 2e 69 6e 66 6f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019566 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 61 7a 75 72 65 6f 6e 2d 6c 69 6e 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019567 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 63 68 65 63 6b 6d 61 6c 77 61 72 65 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019550 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 63 68 65 63 6b 77 69 6e 66 72 61 6d 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019568 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 63 68 65 63 6b 77 69 6e 66 72 61 6d 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019569 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 63 68 65 63 6b 2d 66 69 78 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019570 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 68 6f 74 66 69 78 2d 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019551 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 63 68 65 63 6b 2d 66 69 78 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019571 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 6d 69 63 72 6f 73 6f 66 69 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019572 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 6d 69 63 72 6f 73 6f 66 2d 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019552 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 68 6f 74 66 69 78 2d 75 70 64 61 74 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019573 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 73 63 61 6e 6d 61 6c 77 61 72 65 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019574 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 73 65 63 6e 65 74 63 6f 6e 74 72 6f 6c 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019575 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 73 65 63 75 72 69 74 79 70 72 61 63 74 69 63 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019576 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 73 79 6d 61 6e 74 74 65 63 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019553 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6d 69 63 72 6f 73 6f 66 69 2e 6f 72 67 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019577 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 74 65 73 74 73 65 72 76 69 63 65 32 34 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019554 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6d 69 63 72 6f 73 6f 66 2d 75 70 64 61 74 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019578 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 74 65 73 74 73 6e 65 74 63 6f 6e 74 72 6f 6c 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019579 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 75 70 64 61 74 65 70 63 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019555 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 73 63 61 6e 6d 61 6c 77 61 72 65 2e 69 6e 66 6f 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019580 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 75 70 64 61 74 65 73 6f 66 74 77 61 72 65 32 34 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019581 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 77 69 6e 64 6f 77 73 2d 75 70 64 61 74 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019556 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 73 65 63 6e 65 74 63 6f 6e 74 72 6f 6c 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019582 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 63 68 65 63 6b 6d 61 6c 77 61 72 65 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019557 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 73 65 63 75 72 69 74 79 70 72 61 63 74 69 63 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019558 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 74 65 73 74 73 65 72 76 69 63 65 32 34 2e 6e 65 74 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019559 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 74 65 73 74 73 6e 65 74 63 6f 6e 74 72 6f 6c 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019560 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 75 70 64 61 74 65 70 63 2e 6f 72 67 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019561 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 75 70 64 61 74 65 73 6f 66 74 77 61 72 65 32 34 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019562 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 69 6e 64 6f 77 73 2d 75 70 64 61 74 65 72 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019563 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 63 68 65 63 6b 6d 61 6c 77 61 72 65 2e 6f 72 67 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019583 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 73 79 6d 61 6e 74 74 65 63 2e 6f 72 67 0d 0a --------- Hex Payload End ----------- ^(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$ NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2019584 -------- Hex Payload Start ---------- 0d 0a 0d 0a 4f 00 4b 00 00 00 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019585 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6d 73 6f 6e 6c 69 6e 65 6c 69 76 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019586 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 6d 73 6f 6e 6c 69 6e 65 6c 69 76 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019587 -------- Hex Payload Start ---------- 85 19 00 00 25 04 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019588 -------- Hex Payload Start ---------- 86 19 00 00 04 01 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019589 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 b6 8b ac d3 d7 e0 e7 36 f0 b5 63 65 1e 1a 31 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019590 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01 ec 7e 05 1d 5f 65 ab db 1c df 93 99 cd 06 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019592 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019593 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:trojan-activity; sid:2019594; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019595 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\d content:"0"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; content:"0"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019597 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 57 69 6e 64 6f 77 73 20 46 69 72 65 77 61 6c 6c 20 77 61 72 6e 69 6e 67 21 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019598 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019599 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 4f 70 65 72 61 74 69 6e 67 20 53 79 73 74 65 6d 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- \/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$ Parser failed - skipping rule [^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28 content:"###("; |---------------------| Building Rule: 2019601 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 28 28 20 28 20 20 28 28 20 28 20 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 20 00 00 05 28 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x83\x7f content:" 00000000"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43"; flow:to_server,established; dsize:>11; content:"|83 7f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f0c10c1705783d3f32742bce3b2aea5; classtype:trojan-activity; sid:2019602; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2019603 Protocol Not Supported |---------------------| Building Rule: 2019604 Protocol Not Supported |---------------------| Building Rule: 2019605 Protocol Not Supported |---------------------| Building Rule: 2019606 -------- Hex Payload Start ---------- 62 75 69 6c 64 64 61 74 65 3a 20 20 76 65 72 73 69 6f 6e 3a 20 20 69 64 3a 20 20 47 45 54 --------- Hex Payload End ----------- \/[a-z]+\.k(?:ey)?btc$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/a.kbtc"; |---------------------| Building Rule: 2019607 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^[a-z]{12} content:"aaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; content:"aaaaaaaaaaaa"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2019610 -------- Hex Payload Start ---------- 20 6e 61 6d 65 3d 22 45 49 54 65 73 74 22 20 --------- Hex Payload End ----------- \/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2019611 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 20 --------- Hex Payload End ----------- \/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;100000;0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta Flash Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|1"; http_uri; offset:60; content:"|3b|"; http_uri; distance:5; within:1; content:!"="; http_uri; content:!"&"; http_uri; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;100000;0"; classtype:trojan-activity; sid:2019612; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2019613 -------- Hex Payload Start ---------- 41 00 75 00 74 00 6f 00 4f 00 70 00 65 00 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019614 -------- Hex Payload Start ---------- 41 00 75 00 74 00 6f 00 45 00 78 00 65 00 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019615 Protocol Not Supported |---------------------| Building Rule: 2019616 Protocol Not Supported |---------------------| Building Rule: 2019617 Protocol Not Supported |---------------------| Building Rule: 2019618 -------- Hex Payload Start ---------- 51 51 42 31 41 48 51 41 62 77 42 46 41 48 67 41 5a 51 42 6a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019619 Protocol Not Supported |---------------------| Building Rule: 2019620 Protocol Not Supported ^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6} content:"ETag: "075BCD150:a"; |---------------------| Building Rule: 2019621 -------- Hex Payload Start ---------- 45 54 61 67 3a 20 20 37 35 42 43 44 31 35 20 45 54 61 67 3a 20 22 30 37 35 42 43 44 31 35 30 3a 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019622 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 3a --------- Hex Payload End ----------- \/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;4000000"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;4000000"; classtype:trojan-activity; sid:2019623; rev:2;) Parser failed - skipping rule \/\??[a-f0-9]{60,}\x3b5[0-1]\d{5}$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;5000000"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta SilverLight 5.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|5"; http_uri; offset:60; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;5000000"; classtype:trojan-activity; sid:2019624; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019625 Error here within! -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019626 Error here within! -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 36 34 0d 0a 20 0d 0a 0d 0a 20 67 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019627 -------- Hex Payload Start ---------- 70 72 65 67 5f 72 65 70 6c 61 63 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019628 Protocol Not Supported |---------------------| Building Rule: 2019630 Error here within! -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 48 54 54 50 53 65 72 76 65 72 58 20 0d 0a 0d 0a 20 31 34 0d 0a 0d 0a 30 0d 0a 0d 0a --------- Hex Payload End ----------- ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x40\x24\x40$ NOT IMPL not _simple(av) in REPEATING CODES content:"@$@"; |---------------------| Building Rule: 2019631 -------- Hex Payload Start ---------- 0d 0a 0d 0a 40 24 40 20 40 24 40 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019633 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 19 00 00 00 20 00 20 ff --------- Hex Payload End ----------- |---------------------| Building Rule: 2019634 -------- Hex Payload Start ---------- 61 72 73 79 6d 5b 30 5d 3d 22 65 6e 74 22 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019635 Protocol Not Supported &id=[A-F0-9]+$ uricontent:"&id=A"; |---------------------| Building Rule: 2019636 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019637 -------- Hex Payload Start ---------- 4a 4f 49 4e 20 23 73 68 6f 63 6b 20 37 37 37 50 52 49 56 4d 53 47 20 23 73 68 6f 63 6b 20 3a 75 69 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019639 Protocol Not Supported |---------------------| Building Rule: 2019638 Error here depth! -------- Hex Payload Start ---------- 72 75 61 72 63 3d 20 72 75 61 72 63 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019640 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 6d 61 6c 77 61 72 65 63 68 65 63 6b 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019641 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6d 61 6c 77 61 72 65 63 68 65 63 6b 2e 69 6e 66 6f 0d 0a --------- Hex Payload End ----------- ^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f Parser failed - skipping rule ^[^>\r\n<]+>[A-Za-z]{70} content:"#>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2019643 -------- Hex Payload Start ---------- 63 6c 61 73 73 3d 22 67 72 65 65 6e 5f 63 6c 61 73 73 22 20 00 3e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019644 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 23 79 6f 75 20 67 6f 74 20 73 68 65 6c 6c 73 68 6f 63 6b 65 64 3f 3f 3f --------- Hex Payload End ----------- |---------------------| Building Rule: 2019645 Protocol Not Supported |---------------------| Building Rule: 2019646 Protocol Not Supported ^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70} Parser failed - skipping rule |---------------------| Building Rule: 2019648 Protocol Not Supported |---------------------| Building Rule: 2019649 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019651 Protocol Not Supported |---------------------| Building Rule: 2019652 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"act="; depth:4; http_client_body; content:"&atom="; distance:0; fast_pattern; http_client_body; content:"&id="; distance:0; http_client_body; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!"Referer|3a|"; http_header; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:trojan-activity; sid:2019653; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported ^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)? NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"harA"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; content:"harA"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:trojan-activity; sid:2019655; rev:6;) Parser failed - skipping rule ^\/[^\x2f]*?flashhigh\.swf$ uricontent:"/flashhigh.swf"; |---------------------| Building Rule: 2019656 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/[^\x2f]*?flashlow\.swf$ uricontent:"/flashlow.swf"; |---------------------| Building Rule: 2019657 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/[^\x2f]*?silverapp1\.xap$ uricontent:"/silverapp1.xap"; |---------------------| Building Rule: 2019658 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/[^\x2f]*?iebasic\.html$ uricontent:"/iebasic.html"; |---------------------| Building Rule: 2019659 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019660 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 67 6c 6f 62 61 6c 75 70 64 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019661 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019662 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019663 -------- Hex Payload Start ---------- 7b 22 72 65 73 75 6c 74 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019664 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019665 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019666 -------- Hex Payload Start ---------- 47 45 54 20 48 6f 73 74 3a 20 77 77 77 2e 63 6f 6d 65 69 6e 62 61 62 79 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019667 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 63 6f 6d 65 69 6e 62 61 62 79 03 63 6f 6d 00 --------- Hex Payload End ----------- \/14\d{8}(?:\.xap)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/1400000000"; |---------------------| Building Rule: 2019668 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019669 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 20 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019670 Protocol Not Supported |---------------------| Building Rule: 2019671 Protocol Not Supported \/[a-z]{3,7}\.php$ uricontent:"/aaa.php"; |---------------------| Building Rule: 2019672 216.157.99.0 SELF>DST -------- Hex Payload Start ---------- 20 20 74 20 3a 20 74 20 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a --------- Hex Payload End ----------- \/(?:[a-z0-9]{1,7}\.php)?\?zho= NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/?zho="; |---------------------| Building Rule: 2019673 216.157.99.0 SELF>DST -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaa.swf"; |---------------------| Building Rule: 2019674 216.157.99.0 SELF>DST -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019675 -------- Hex Payload Start ---------- 3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e 22 20 63 6c 61 73 73 3d 22 74 6f 6f 6c 74 69 70 22 20 74 69 74 6c 65 3d 22 22 3e 3c 69 66 72 61 6d 65 20 20 76 73 70 61 63 65 3d 20 30 20 20 68 73 70 61 63 65 3d 20 30 20 20 6d 61 72 67 69 6e 77 69 64 74 68 3d 20 30 3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019677 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019678 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:trojan-activity; sid:2019679; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019680 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019684 -------- Hex Payload Start ---------- 75 73 69 64 3d 73 69 64 3a 7b 27 --------- Hex Payload End ----------- \/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/tslyphper.html"; |---------------------| Building Rule: 2019681 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019682 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Miuref/Boaxxe Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"bB"; offset:2; depth:2; http_client_body; content:"MqrU"; within:20; http_client_body; content:"VAMU"; within:29; fast_pattern; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,79d1c8c33062324388d3d563f193a43b; reference:md5,ee3c562151cc9181c6d87602bbf0a285; reference:md5,a42797315c50e335f3de87f6cea61b77; classtype:trojan-activity; sid:2019683; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2019685 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; urilen:10; content:"/login.cgi"; http_uri; content:"GO=&jump="; http_client_body; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:3;) Parser failed - skipping rule \/images\/view\.php$ uricontent:"/images/view.php"; |---------------------| Building Rule: 2019687 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a --------- Hex Payload End ----------- \/txt\/read\.php$ uricontent:"/txt/read.php"; |---------------------| Building Rule: 2019688 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019689 -------- Hex Payload Start ---------- 65 6d 62 65 64 53 57 46 28 22 69 6e 64 65 78 2e 73 77 66 3f 61 63 74 69 6f 6e 3d 73 77 66 22 20 73 72 63 3d 22 69 6e 64 65 78 2e 6a 73 3f 61 63 74 69 6f 6e 3d 73 77 66 6f 62 6a 65 63 74 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019690 -------- Hex Payload Start ---------- 78 6d 6c 68 74 74 70 2e 6f 70 65 6e 28 22 50 4f 53 54 22 2c 20 22 2f 66 6f 6f 22 2c 20 66 61 6c 73 65 29 3b 78 6d 6c 68 74 74 70 2e 73 65 6e 64 28 73 65 6e 64 73 74 72 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019691 Protocol Not Supported ^[a-z]{16} content:"aaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019692 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 65 75 00 20 10 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^\/[A-Za-z0-9]+\/[A-Za-z0-9]+\/$ uricontent:"/A/A/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Emotet Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"/"; offset:1; http_uri; content:"/"; distance:0; http_uri; content:"MSIE 7.0|3b|"; http_header; fast_pattern; content:"Windows NT 6.0"; within:15; http_header; uricontent:"/A/A/"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019693; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2019694 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 08 69 6e 74 6f 68 61 76 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019695 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0c 66 61 73 74 65 72 6e 61 74 69 6f 6e 03 6e 65 74 00 --------- Hex Payload End ----------- \/bin\.exe$ uricontent:"/bin.exe"; |---------------------| Building Rule: 2019696 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- \/get\/get\.php$ uricontent:"/get/get.php"; |---------------------| Building Rule: 2019697 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019698 Protocol Not Supported |---------------------| Building Rule: 2019699 Protocol Not Supported |---------------------| Building Rule: 2019700 Protocol Not Supported |---------------------| Building Rule: 2019701 Protocol Not Supported |---------------------| Building Rule: 2019702 Protocol Not Supported |---------------------| Building Rule: 2019703 Protocol Not Supported \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Emotet CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"<email_accounts_list>"; http_client_body; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; uricontent:".php"; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:trojan-activity; sid:2019704; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019705 Protocol Not Supported ^\s*?Preserve content:"Preserve"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; content:"Preserve"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:3;) Parser failed - skipping rule ^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute) content:""; |---------------------| Building Rule: 2019707 -------- Hex Payload Start ---------- 76 62 73 63 72 69 70 74 20 73 68 65 6c 6c 65 78 65 63 75 74 65 20 3c 73 63 72 69 70 74 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019708 Protocol Not Supported |---------------------| Building Rule: 2019709 Protocol Not Supported |---------------------| Building Rule: 2019710 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net) content:"Host: ns1.help"; |---------------------| Building Rule: 2019711 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6e 73 31 2e 68 65 6c 70 20 48 6f 73 74 3a 20 6e 73 31 2e 68 65 6c 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019712 -------- Hex Payload Start ---------- 47 00 46 00 49 --------- Hex Payload End ----------- ^[a-zA-Z0-9+/]{43} uricontent:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2019713 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/[A-Z]?[a-z]{1,3}[0-9]?\.exe$ uricontent:"/a.exe"; |---------------------| Building Rule: 2019714 -------- Hex Payload Start ---------- 20 20 2e --------- Hex Payload End ----------- ^\W content:""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; content:"vbscript"; nocase; content:"Xor"; nocase; content:""; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern:only; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3;) Parser failed - skipping rule ^[A-Za-z0-9\s/+]{100} content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |---------------------| Building Rule: 2019716 -------- Hex Payload Start ---------- 62 69 6e 2e 62 61 73 65 36 34 20 3c 66 69 6c 65 20 3c 73 74 72 65 61 6d 20 3c 3f 78 6d 6c 20 54 56 71 51 41 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019718 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 6d 61 6e 68 75 61 62 61 03 63 6f 6d 02 63 6e 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019719 Protocol Not Supported |---------------------| Building Rule: 2019720 Protocol Not Supported |---------------------| Building Rule: 2019721 Protocol Not Supported |---------------------| Building Rule: 2019722 -------- Hex Payload Start ---------- 66 6c 61 73 68 5f 72 75 6e 32 20 73 69 6c 76 65 72 5f 72 75 6e 20 6d 73 69 65 5f 72 75 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019723 -------- Hex Payload Start ---------- 66 66 62 67 72 6e 74 68 35 77 65 28 61 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019724 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019725 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019726 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$ Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019729 -------- Hex Payload Start ---------- 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 29 0d 0a 0d 0a --------- Hex Payload End ----------- ^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27) content:"="; |---------------------| Building Rule: 2019730 -------- Hex Payload Start ---------- 75 6e 65 73 63 61 70 65 20 25 75 20 43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65 20 69 6e 6e 65 72 48 54 4d 4c 20 3d --------- Hex Payload End ----------- ^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"20Preserve"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; content:"20Preserve"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:4;) Parser failed - skipping rule ^(?:\x25(?:25)*?20|\s)*?runmumaa\W NOT IMPL not _simple(av) in REPEATING CODES content:"runmumaa!"; |---------------------| Building Rule: 2019733 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 72 75 6e 6d 75 6d 61 61 21 20 72 75 6e 6d 75 6d 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019734 -------- Hex Payload Start ---------- 63 68 72 77 28 30 31 29 26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26 63 68 72 77 28 30 30 29 26 63 68 72 77 28 30 30 29 26 63 68 72 77 28 30 30 29 26 63 68 72 77 28 30 30 29 26 63 68 72 77 28 30 30 29 --------- Hex Payload End ----------- ^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801 NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"282176%29%26chrw%2801"; |---------------------| Building Rule: 2019735 -------- Hex Payload Start ---------- 63 68 72 77 25 20 32 38 32 31 37 36 25 32 39 25 32 36 63 68 72 77 25 32 38 30 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019736 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 70 61 79 74 6f 72 64 6d 62 64 65 6b 6d 69 7a 71 --------- Hex Payload End ----------- ^\/(?:text|json|xml)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; |---------------------| Building Rule: 2019737 -------- Hex Payload Start ---------- 47 45 54 20 77 74 66 69 73 6d 79 69 70 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019738 -------- Hex Payload Start ---------- ac ed 00 00 --------- Hex Payload End ----------- ^[\x53\x54] content:"S"; |---------------------| Building Rule: 2019739 Error here within! -------- Hex Payload Start ---------- 78 70 20 20 20 20 1f 8b 08 00 00 00 00 00 00 00 6d 20 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019740 Error here within! -------- Hex Payload Start ---------- 78 70 20 20 20 20 1f 8b 08 00 00 00 00 00 00 00 75 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019741 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019742 -------- Hex Payload Start ---------- 76 3a 73 74 72 6f 6b 65 20 69 64 3d 27 62 65 67 27 20 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e --------- Hex Payload End ----------- \/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$ uricontent:"/a-a-a.html?a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; uricontent:"/a-a-a.html?a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:trojan-activity; sid:2019743; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2019744 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\/Drop2(?:-\d+)\.swf$ uricontent:"/Drop2.swf"; |---------------------| Building Rule: 2019745 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2019746 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 76 65 72 73 69 6f 6e 42 69 74 6d 65 73 73 61 67 65 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019747 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 67 65 74 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2019750 -------- Hex Payload Start ---------- 0d 0a 0d 0a 73 6d 64 6d 3a 2f 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a| form-data|3b| name=|22|serverKey|22|"; http_client_body; fast_pattern:28,20; content:"Content-Disposition|3a| form-data|3b| name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22|"; http_client_body; content:!"Referer|3a| "; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:2;) Parser failed - skipping rule type limit, track by_src, count 1, seconds 600 |---------------------| Building Rule: 2019749 -------- Hex Payload Start ---------- 50 4f 53 54 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 20 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 20 73 65 72 76 65 72 4b 65 79 3d 20 64 61 74 61 3d 20 6b 65 79 3d 20 3a 20 74 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019751 -------- Hex Payload Start ---------- 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b --------- Hex Payload End ----------- ^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaaa.php?aaaa=a"; |---------------------| Building Rule: 2019752 -------- Hex Payload Start ---------- 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 20 3a --------- Hex Payload End ----------- ^\/[a-z0-9]+\/load\.php$ uricontent:"/a/load.php"; |---------------------| Building Rule: 2019753 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019754 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 39 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 20 3a 20 2e 20 48 6f 73 74 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported ^\/[a-z0-9.&-]+(?:[a-z0-9]{4}-){3}[a-z0-9.&+-]+$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aa"; |---------------------| Building Rule: 2019756 -------- Hex Payload Start ---------- 47 45 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 39 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 20 3a 20 2e --------- Hex Payload End ----------- ^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)> NOT IMPL Groupref NOT IMPL Groupref content:"<a>a</><a>a</>"; |---------------------| Building Rule: 2019757 -------- Hex Payload Start ---------- 0d 0a 0d 0a 24 24 24 24 20 3c 61 3e 61 3c 2f 3e 3c 61 3e 61 3c 2f 3e --------- Hex Payload End ----------- ^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$ NOT IMPL Groupref NOT IMPL Groupref content:"<a>a</><a>a</>"; |---------------------| Building Rule: 2019758 -------- Hex Payload Start ---------- 24 24 24 24 20 3c 61 3e 61 3c 2f 3e 3c 61 3e 61 3c 2f 3e --------- Hex Payload End ----------- \/$ uricontent:"/"; |---------------------| Building Rule: 2019759 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 20 3a --------- Hex Payload End ----------- \/b\/pkg\/[A-Za-z0-9]{14,15}$ uricontent:"/b/pkg/AAAAAAAAAAAAAA"; |---------------------| Building Rule: 2019760 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- ^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27] Parser failed - skipping rule ^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES content:"("/a/""; |---------------------| Building Rule: 2019762 -------- Hex Payload Start ---------- 73 77 66 6f 62 6a 65 63 74 2e 65 6d 62 65 64 53 57 46 20 28 22 2f 61 2f 22 --------- Hex Payload End ----------- ^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$ uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; uricontent:"/"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:trojan-activity; sid:2019763; rev:8;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\/\?0=(?:[^&]+?&\d+?=)+?[^=&]+?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/?0=#"; |---------------------| Building Rule: 2019767 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- ^\/[a-f0-9]{64}\.html$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.html"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.html"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:trojan-activity; sid:2019769; rev:4;) Parser failed - skipping rule ^\/[a-f0-9]{64}\.js$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.js"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:"|2f|"; http_uri; depth:1; content:".js"; http_uri; offset:65; depth:3; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.js"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:trojan-activity; sid:2019768; rev:4;) Parser failed - skipping rule ^\/[a-f0-9]{64}\.swf$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.swf"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.swf"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:trojan-activity; sid:2019770; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2019771 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019773 -------- Hex Payload Start ---------- 59 32 68 79 64 79 67 77 4d 53 6b 6d 59 32 68 79 64 79 67 79 4d 54 63 32 4b 53 5a 6a 61 48 4a 33 4b 44 41 78 4b 53 5a 6a 61 48 4a 33 4b 44 41 77 4b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019774 -------- Hex Payload Start ---------- 4e 6f 63 6e 63 6f 4d 44 45 70 4a 6d 4e 6f 63 6e 63 6f 4d 6a 45 33 4e 69 6b 6d 59 32 68 79 64 79 67 77 4d 53 6b 6d 59 32 68 79 64 79 67 77 4d 43 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019775 -------- Hex Payload Start ---------- 6a 61 48 4a 33 4b 44 41 78 4b 53 5a 6a 61 48 4a 33 4b 44 49 78 4e 7a 59 70 4a 6d 4e 6f 63 6e 63 6f 4d 44 45 70 4a 6d 4e 6f 63 6e 63 6f 4d 44 41 70 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault POST M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:"func=getemailurl"; http_client_body; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019777; rev:2;) Parser failed - skipping rule ^(?: Systems|\.com\/techsupport) content:""; type both,count 1,seconds 60,track by_dst |---------------------| Building Rule: 2019778 -------- Hex Payload Start ---------- 43 69 73 63 6f 20 --------- Hex Payload End ----------- \?action\d*?=[^&]+(?:&(?:action|update)\d+=[^&]*?)*?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"?action=#"; |---------------------| Building Rule: 2019779 -------- Hex Payload Start ---------- 20 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/CloudScout CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/QualityCheck/"; http_uri; fast_pattern; content:".php"; distance:0; http_uri; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla)"; http_header; content:"dp="; http_client_body; depth:3; content:"&sdp="; http_client_body; distance:0; content:"&a="; http_client_body; distance:0; reference:md5,c732b52b245444e3f568d372ce399911; classtype:trojan-activity; sid:2019780; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Creds Phished"; flow:established,to_server; content:"1="; http_client_body; content:"2="; http_client_body; content:"submit.x=Login"; http_client_body; classtype:bad-unknown; sid:2019781; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Name Address Phished"; flow:established,to_server; content:"_fn="; http_client_body; content:"_ln="; http_client_body; content:"_birthd="; http_client_body; fast_pattern:only; classtype:bad-unknown; sid:2019782; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Credit Card and SSN Phished"; flow:established,to_server; content:"_fulln="; http_client_body; fast_pattern:only; content:"_ccn="; http_client_body; content:"_ccv="; http_client_body; classtype:bad-unknown; sid:2019783; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Bank Account Phished"; flow:established,to_server; content:"_bkid="; http_client_body; content:"_bkpass="; http_client_body; fast_pattern:only; content:"_accn="; http_client_body; classtype:bad-unknown; sid:2019784; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019785 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 4c 6f 67 69 6e 20 2d 20 50 61 79 50 61 6c 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019786 Protocol Not Supported |---------------------| Building Rule: 2019787 Protocol Not Supported |---------------------| Building Rule: 2019788 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 63 76 72 65 64 69 72 65 63 74 05 6e 6f 2d 69 70 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019790 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 63 76 72 65 64 69 72 65 63 74 04 64 64 6e 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019792 -------- Hex Payload Start ---------- 25 36 33 25 36 38 25 37 32 25 37 37 25 32 38 25 33 30 25 33 31 25 32 39 25 32 36 25 36 33 25 36 38 25 37 32 25 37 37 25 32 38 25 33 32 25 33 31 25 33 37 25 33 36 25 32 39 25 32 36 25 36 33 25 36 38 25 37 32 25 37 37 25 32 38 25 33 30 25 33 31 25 32 39 25 32 36 25 36 33 25 36 38 25 37 32 25 37 37 25 32 38 25 33 30 25 33 30 25 32 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019793 -------- Hex Payload Start ---------- 36 33 36 38 37 32 37 37 32 38 33 30 33 31 32 39 32 36 36 33 36 38 37 32 37 37 32 38 33 32 33 31 33 37 33 36 32 39 32 36 36 33 36 38 37 32 37 37 32 38 33 30 33 31 32 39 32 36 36 33 36 38 37 32 37 37 32 38 33 30 33 30 32 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019794 -------- Hex Payload Start ---------- 36 33 2c 36 38 2c 37 32 2c 37 37 2c 32 38 2c 33 30 2c 33 31 2c 32 39 2c 32 36 2c 36 33 2c 36 38 2c 37 32 2c 37 37 2c 32 38 2c 33 32 2c 33 31 2c 33 37 2c 33 36 2c 32 39 2c 32 36 2c 36 33 2c 36 38 2c 37 32 2c 37 37 2c 32 38 2c 33 30 2c 33 31 2c 32 39 2c 32 36 2c 36 33 2c 36 38 2c 37 32 2c 37 37 2c 32 38 2c 33 30 2c 33 30 2c 32 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019795 -------- Hex Payload Start ---------- 36 33 2c 20 36 38 2c 20 37 32 2c 20 37 37 2c 20 32 38 2c 20 33 30 2c 20 33 31 2c 20 32 39 2c 20 32 36 2c 20 36 33 2c 20 36 38 2c 20 37 32 2c 20 37 37 2c 20 32 38 2c 20 33 32 2c 20 33 31 2c 20 33 37 2c 20 33 36 2c 20 32 39 2c 20 32 36 2c 20 36 33 2c 20 36 38 2c 20 37 32 2c 20 37 37 2c 20 32 38 2c 20 33 30 2c 20 33 31 2c 20 32 39 2c 20 32 36 2c 20 36 33 2c 20 36 38 2c 20 37 32 2c 20 37 37 2c 20 32 38 2c 20 33 30 2c 20 33 30 2c 20 32 39 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019796 -------- Hex Payload Start ---------- 39 39 2c 31 30 34 2c 31 31 34 2c 31 31 39 2c 34 30 2c 34 38 2c 34 39 2c 34 31 2c 33 38 2c 39 39 2c 31 30 34 2c 31 31 34 2c 31 31 39 2c 34 30 2c 35 30 2c 34 39 2c 35 35 2c 35 34 2c 34 31 2c 33 38 2c 39 39 2c 31 30 34 2c 31 31 34 2c 31 31 39 2c 34 30 2c 34 38 2c 34 39 2c 34 31 2c 33 38 2c 39 39 2c 31 30 34 2c 31 31 34 2c 31 31 39 2c 34 30 2c 34 38 2c 34 38 2c 34 31 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019797 -------- Hex Payload Start ---------- 39 39 2c 20 31 30 34 2c 20 31 31 34 2c 20 31 31 39 2c 20 34 30 2c 20 34 38 2c 20 34 39 2c 20 34 31 2c 20 33 38 2c 20 39 39 2c 20 31 30 34 2c 20 31 31 34 2c 20 31 31 39 2c 20 34 30 2c 20 35 30 2c 20 34 39 2c 20 35 35 2c 20 35 34 2c 20 34 31 2c 20 33 38 2c 20 39 39 2c 20 31 30 34 2c 20 31 31 34 2c 20 31 31 39 2c 20 34 30 2c 20 34 38 2c 20 34 39 2c 20 34 31 2c 20 33 38 2c 20 39 39 2c 20 31 30 34 2c 20 31 31 34 2c 20 31 31 39 2c 20 34 30 2c 20 34 38 2c 20 34 38 2c 20 34 31 --------- Hex Payload End ----------- ^[^\x27]+[\x27]\s* content:"#'"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Iframe Leading to EK"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"document.write((|22|<iframe src=|27|http|3a|"; within:35; content:"#'"; content:"width=12 height=12 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></|22| + |22|iframe>|22|))|3b|"; fast_pattern:73,20; within:93; isdataat:!3,relative; classtype:trojan-activity; sid:2019798; rev:5;) Parser failed - skipping rule ^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; content:"x-flash-version"; http_header; fast_pattern:only; uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; pcre:"/Host\x3a\x20(?:\.*[a-f0-9]\.*){32}\./Hm"; classtype:trojan-activity; sid:2019799; rev:3;) Parser failed - skipping rule ^\/\?[a-f0-9]{32}$ uricontent:"/?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; uricontent:"/?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:trojan-activity; sid:2019800; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019801 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019802 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019803 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"php|3a 2f 2f|input"; http_raw_uri; fast_pattern; content:"<?"; http_client_body; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019805 -------- Hex Payload Start ---------- 47 45 54 20 20 3a 20 2e 20 20 41 6e 64 72 6f 69 64 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019806 -------- Hex Payload Start ---------- 28 77 72 68 63 26 29 36 37 31 32 28 77 72 68 63 26 29 31 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019807 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 63 6b 6c 28 72 65 74 75 72 6e 20 62 6d 77 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019808 -------- Hex Payload Start ---------- 05 01 00 01 c0 b8 3c e5 00 51 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019809 -------- Hex Payload Start ---------- 05 01 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019810 Protocol Not Supported |---------------------| Building Rule: 2019811 Protocol Not Supported |---------------------| Building Rule: 2019812 Protocol Not Supported |---------------------| Building Rule: 2019813 Protocol Not Supported |---------------------| Building Rule: 2019814 Protocol Not Supported |---------------------| Building Rule: 2019815 Protocol Not Supported |---------------------| Building Rule: 2019818 Protocol Not Supported |---------------------| Building Rule: 2019819 Protocol Not Supported |---------------------| Building Rule: 2019821 -------- Hex Payload Start ---------- 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 20 0a 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:8;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019823; rev:8;) Parser failed - skipping rule ^\x2Fpayment_gateway\x2F[a-z0-9]{3,}\x2Egz$ uricontent:"/payment_gateway/aaa.gz"; |---------------------| Building Rule: 2019824 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 72 61 4d 69 6e 69 0d 0a --------- Hex Payload End ----------- ^\x2Fapi\x2F(bit|lite)coin\x2Fbalance\x2F uricontent:"/api/bitcoin/balance/"; |---------------------| Building Rule: 2019825 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019826 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 70 6d 61 74 69 62 6c 65 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019827 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 31 3b 20 57 69 6e 64 6f 77 73 20 58 50 29 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019829 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Syndicasec.Backdoor CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/update.php"; http_uri; content:"cstype="; http_client_body; depth:7; content:"&authname="; http_client_body; distance:0; content:"&hostname="; http_client_body; distance:0; content:"&ostype="; http_client_body; distance:0; content:"&owner="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations; classtype:trojan-activity; sid:2019831; rev:3;) Parser failed - skipping rule ^.{2}(?=[a-z]{0,15}\d)(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=var) Parser failed - skipping rule ^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var) Parser failed - skipping rule |---------------------| Building Rule: 2019834 -------- Hex Payload Start ---------- 0d 0a 0d 0a d0 cf 11 e0 a1 b1 1a e1 --------- Hex Payload End ----------- \d*?\.bin content:".bin"; |---------------------| Building Rule: 2019835 -------- Hex Payload Start ---------- 2f 76 62 61 50 72 6f 6a 65 63 74 20 2e 62 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019836 -------- Hex Payload Start ---------- 5f 56 42 41 5f 50 52 4f 4a 45 43 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019837 -------- Hex Payload Start ---------- 5f 00 56 00 42 00 41 00 5f 00 50 00 52 00 4f 00 4a 00 45 00 43 00 54 00 --------- Hex Payload End ----------- ^\/me\/(?:get(?:ref|ua)\.php|videos\.txt)$ uricontent:"/me/"; |---------------------| Building Rule: 2019838 -------- Hex Payload Start ---------- 20 3a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019839 Protocol Not Supported \/infect(?:-\d)?\.php$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/infect.php"; |---------------------| Building Rule: 2019840 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 0d 0a --------- Hex Payload End ----------- \/[A-Za-z0-9]{4}_[A-Za-z0-9]{16}\/$ uricontent:"/AAAA_AAAAAAAAAAAAAAAA/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Swrort.A Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.1|3b| Windows NT|29 0d 0a|"; http_header; content:"RECV"; depth:4; fast_pattern; http_client_body; uricontent:"/AAAA_AAAAAAAAAAAAAAAA/"; reference:md5,61dacbf1fc20af3afdc432a0dd78eaf3; reference:md5,a3ef217825ce310c41e6edaee2db5eb9; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32/Swrort.A; classtype:trojan-activity; sid:2019841; rev:2;) Parser failed - skipping rule ^\s*?Preserve\s*?(?P<var1>[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1) Parser failed - skipping rule &hash=[^&]+$ uricontent:"&hash=#"; |---------------------| Building Rule: 2019843 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 3a --------- Hex Payload End ----------- ^\/AwoVG[A-Za-z0-9_]+$ uricontent:"/AwoVGA"; |---------------------| Building Rule: 2019844 -------- Hex Payload Start ---------- 20 2e 68 74 6d 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[A-Z]* HTTP\/1\. content:" HTTP/1."; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Upatre Common URI Struct Dec 01 2014"; flow:established,to_server; content:"GET|20|"; depth:4; content:"-SP"; distance:0; fast_pattern; content:"/0/"; distance:0; content:!"Referer|3a|"; distance:0; content:!"Accept-"; distance:0; content:" HTTP/1."; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/mi"; reference:md5,fd0f57fd1f93c13b7bd63f811ac7939e; classtype:trojan-activity; sid:2019847; rev:12;) Parser failed - skipping rule |---------------------| Building Rule: 2019849 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- \x3C\x3C[^>]*\x2FEmbeddedfile content:"<</Embeddedfile"; |---------------------| Building Rule: 2019850 -------- Hex Payload Start ---------- 6f 62 6a 20 3c 3c 2f 45 6d 62 65 64 64 65 64 66 69 6c 65 20 3c 3c 2f 45 6d 62 65 64 64 65 64 66 69 6c 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019851 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 64 6f 6f 73 61 6e 2d 6a 6f 62 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019852 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 64 6f 77 6e 6c 6f 61 64 73 73 65 72 76 65 72 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019853 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 64 72 69 76 65 72 63 65 6e 74 65 72 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019854 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 14 65 61 73 79 72 65 73 75 6d 65 63 72 65 61 74 6f 72 70 72 6f 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019855 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 67 6f 6f 67 6c 65 70 72 6f 64 75 63 74 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019856 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 67 6f 6f 67 6c 65 70 72 6f 64 75 63 74 75 70 64 61 74 65 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019857 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 6b 75 6e 64 65 6e 70 66 6c 65 67 65 06 6d 65 6e 72 61 64 02 64 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019858 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 17 6d 69 63 72 6f 73 6f 66 74 61 63 74 69 76 65 73 65 72 76 69 63 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019859 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 6d 69 63 72 6f 73 6f 66 74 6d 69 64 64 6c 65 61 73 74 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019860 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 16 6d 69 63 72 6f 73 6f 66 74 6f 6e 6c 69 6e 65 75 70 64 61 74 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019861 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 15 6d 69 63 72 6f 73 6f 66 74 73 65 72 76 65 72 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019862 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 15 6d 69 63 72 6f 73 6f 66 74 75 70 64 61 74 65 73 65 72 76 65 72 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019863 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 19 6d 69 63 72 6f 73 6f 66 74 77 69 6e 64 6f 77 73 72 65 73 6f 75 72 63 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019864 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 16 6d 69 63 72 6f 73 6f 66 74 77 69 6e 64 6f 77 73 75 70 64 61 74 65 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019865 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 6e 6f 72 74 68 72 6f 70 67 72 75 6d 6d 61 6e 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019866 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 74 65 6c 65 64 79 6e 65 2d 6a 6f 62 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019867 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 14 77 69 6e 64 6f 77 73 63 65 6e 74 72 61 6c 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019868 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 15 77 69 6e 64 6f 77 73 73 65 63 75 72 69 74 79 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019869 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 77 69 6e 64 6f 77 73 73 65 72 76 65 72 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019870 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 77 69 6e 64 6f 77 73 75 70 64 61 74 65 73 65 72 76 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019871 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 67 65 73 75 6e 64 64 75 72 63 68 73 6a 61 68 72 02 64 65 00 --------- Hex Payload End ----------- ^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/ABsA"; |---------------------| Building Rule: 2019872 -------- Hex Payload Start ---------- 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019874 -------- Hex Payload Start ---------- 3d 22 72 65 70 6c 61 63 65 22 3b 27 29 3b 20 7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019875 Error here within! -------- Hex Payload Start ---------- 16 20 0b 20 09 00 b8 24 bd ca a0 48 b4 10 55 04 03 20 08 74 68 66 67 74 6a 79 6a --------- Hex Payload End ----------- !!--no content found in the rule--!! Unsupported keyword! Error parsing rule contents alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh.softwareversion:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Double Encoded Characters in URI (../)"; flow:to_server,established; content:"%252E%252E%252F"; nocase; http_raw_uri; classtype:misc-attack; sid:2019880; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2019878 -------- Hex Payload Start ---------- 17 03 01 00 0c e2 c4 fd d9 e8 e3 f2 9f --------- Hex Payload End ----------- |---------------------| Building Rule: 2019879 Protocol Not Supported ^\/(?:[a-z]+\/)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern:only; http_header; content:!"Content-Type"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; uricontent:"/"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a|"; http_header; depth:24; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows NT \d+\.\d+\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20\d{3,}\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2019881; rev:2;) Parser failed - skipping rule ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019882 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 63 63 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019883 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 77 73 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019884 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 74 6f 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019885 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 69 6e 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019886 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 68 6b 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019887 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 63 6b 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019888 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 74 6b 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-z][a-f0-9]{33} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; type both, track by_src, count 12, seconds 120 |---------------------| Building Rule: 2019889 Error here depth! Error here within! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 00 01 00 00 00 01 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02 73 6f 00 20 22 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019890 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+ content:"A'src='http:#'width=10 height=10 "; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"document.write(|22|<iframe name=|27|"; within:30; content:"A'src='http:#'width=10 height=10 "; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| + |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:trojan-activity; sid:2019892; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2019893 Parser failed - skipping rule \/1\.php\?r$ uricontent:"/1.php?r"; |---------------------| Building Rule: 2019894 -------- Hex Payload Start ---------- 47 45 54 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019896 Error here within! -------- Hex Payload Start ---------- 5f 5f 77 65 5f 61 72 65 5f 68 61 70 70 79 5f 5f 5f 5f 54 52 45 58 5f 5f 53 54 4f 50 5f 5f 53 54 52 49 4e 47 5f 5f 20 2f 64 65 76 2f 72 61 6e 64 6f 6d --------- Hex Payload End ----------- type limit, track by_src, seconds 60, count 1 |---------------------| Building Rule: 2019897 Error here within! -------- Hex Payload Start ---------- a4 11 18 0f 31 39 37 30 30 31 30 31 30 30 30 30 30 30 5a a5 11 18 0f 31 39 37 30 30 31 30 31 30 30 30 30 30 30 5a a6 11 18 0f 31 39 37 30 30 31 30 31 30 30 30 30 30 30 5a 20 20 20 20 20 20 20 20 a8 05 30 03 02 01 17 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019898 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 67 65 74 2f 31 2e 31 31 2e 34 0d 0a 20 3a 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Insomnia Shell HTTP Request"; flow:to_server,established; content:"POST"; http_method; content:".aspx"; http_uri; content:"txtRemoteHost="; http_client_body; fast_pattern; content:"txtRemotePort="; http_client_body; distance:0; content:"txtBindPort="; http_client_body; distance:0; content:"txtPipeName="; http_client_body; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019899; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019900 -------- Hex Payload Start ---------- 53 68 65 6c 6c 20 65 6e 72 6f 75 74 65 2e 2e 2e 2e 2e 2e 2e 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019901 -------- Hex Payload Start ---------- 94 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019902 -------- Hex Payload Start ---------- 74 01 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019904 -------- Hex Payload Start ---------- 20 28 29 20 7b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019905 -------- Hex Payload Start ---------- 2f 73 68 61 72 65 2f 4d 44 30 5f 44 41 54 41 2f 6f 70 74 77 61 72 65 2f 2e 78 70 6c 2f 20 75 6e 73 65 74 20 48 49 53 54 46 49 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019906 Protocol Not Supported |---------------------| Building Rule: 2019907 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:trojan-activity; sid:2019908; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019909 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 32 33 62 74 65 75 66 69 32 6b 63 71 7a 61 32 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019910 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 68 61 61 72 6d 61 6e 6e 73 69 02 63 7a 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019911 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 73 61 6e 79 67 72 6f 75 70 02 63 6f 02 75 6b 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019912 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 65 63 6f 6c 69 6e 65 73 02 65 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019913 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 62 6c 61 63 6b 62 65 72 72 79 2d 73 75 70 70 6f 72 74 09 68 65 72 6f 6b 75 61 70 70 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[A-Za-z]{10,} content:"AAAAAAAAAA"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; content:"AAAAAAAAAA"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Cloud Atlas CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:10; content:"/check.jsp"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; threshold:type limit, count 1, seconds 120, track by_src; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019919; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019920 -------- Hex Payload Start ---------- 78 61 70 4c 6f 61 64 20 73 77 66 4c 6f 61 64 20 78 61 70 55 52 4c 20 73 77 66 55 52 4c 20 65 72 72 55 52 4c 20 76 61 72 20 69 64 --------- Hex Payload End ----------- (?:\d{1,3}\.){3}\d{1,3} (?:\d{1,3}\.){3}\d{1,3} \x3a(?:Linux|FreeBSD|SunOS) NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"0 0 :"; |---------------------| Building Rule: 2019921 -------- Hex Payload Start ---------- 4e 49 43 4b 20 7c 47 4e 55 7c 0a 55 53 45 52 20 47 4e 55 20 20 30 20 30 20 3a 0a 4a 4f 49 4e 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; distance:0; isdataat:!1,relative; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019923 Protocol Not Supported |---------------------| Building Rule: 2019924 Protocol Not Supported |---------------------| Building Rule: 2019925 Protocol Not Supported |---------------------| Building Rule: 2019926 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 53 75 62 6a 65 63 74 3a 20 48 61 77 6b 45 79 65 20 4b 65 79 6c 6f 67 67 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019927 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 53 75 62 6a 65 63 74 3a 20 4b 65 79 6c 6f 67 67 65 72 20 56 69 63 74 69 6d 20 49 50 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019928 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 53 75 62 6a 65 63 74 3a 20 4b 65 79 6c 6f 67 67 65 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1;) Parser failed - skipping rule ^Keylogger\r$ content:"Keylogger "; |---------------------| Building Rule: 2019931 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 53 75 62 6a 65 63 74 3a 20 4b 65 79 6c 6f 67 67 65 72 20 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 4b 65 79 6c 6f 67 67 65 72 0d --------- Hex Payload End ----------- |---------------------| Building Rule: 2019932 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 53 55 42 4a 45 43 54 3a 20 49 20 51 20 2d 20 53 20 50 20 59 20 4b 65 79 4c 6f 67 67 65 72 20 5b 20 76 69 63 74 69 6d 20 63 6f 6d 70 75 74 65 72 20 6e 61 6d 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019933 -------- Hex Payload Start ---------- 46 72 6f 6d 3a 20 53 75 62 6a 65 63 74 3a 20 6b 65 79 6c 6f 67 67 65 72 28 76 30 2e 20 40 55 73 65 72 4e 61 6d 65 20 40 43 6f 6d 70 75 74 65 72 4e 61 6d 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019934 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 73 6d 75 37 34 33 67 6c 7a 66 72 78 73 71 63 6c --------- Hex Payload End ----------- \.exe$ uricontent:".exe"; |---------------------| Building Rule: 2019935 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 49 74 0d 0a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019936 Protocol Not Supported ^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a content:""NEGOCIO_ONLINE.' "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019938 -------- Hex Payload Start ---------- 58 2d 4c 69 62 72 61 72 79 3a 20 49 6e 64 79 20 42 49 47 46 4f 4e 45 20 54 4f 43 4f 55 20 4e 6f 6d 65 20 43 6f 6d 70 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019940 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 73 6f 61 6b 73 6f 61 6b 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019941 -------- Hex Payload Start ---------- 0f 00 00 00 20 6d 63 6f 6e 66 69 67 5f 31 30 00 00 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/TinyZBot Checkin (Operation Cleaver)"; flow:established,to_server; content:"POST"; http_method; content:"/checkupdate.asmx"; http_uri; fast_pattern:only; content:"SOAPAction|3a 20 22|http|3a|//tempuri.org/GetServerTime|22 0d 0a|"; http_header; content:"GetServerTime xmlns=|22|http|3a|//tempuri.org/"; http_client_body; content:!"|0d 0a|Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,68cfc418c72b58b770bdccf19805703e; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019942; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019943 -------- Hex Payload Start ---------- 50 4f 53 54 20 66 69 6c 65 2e 70 68 70 20 48 54 54 50 2f 31 2e 20 20 28 20 63 6f 6d 70 61 74 69 62 6c 65 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DomaIQ Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&X64="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltSys="; http_client_body; content:"&lang_DfltUser="; http_client_body; reference:md5,9befc43d2019c5614e7372a16e3a5ce5; classtype:trojan-activity; sid:2019944; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019945 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 70 70 6c 65 4d 61 63 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019947 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019948 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 79 41 70 70 29 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019951 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 20 35 --------- Hex Payload End ----------- ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ NOT IMPL not _simple(av) in REPEATING CODES content:""; |---------------------| Building Rule: 2019952 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 30 38 0d 0a 20 20 20 0d 0a 0d 0a 20 --------- Hex Payload End ----------- ^\/[a-z]{10}\/[a-z]{10}\.html$ uricontent:"/aaaaaaaaaa/aaaaaaaaaa.html"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; uricontent:"/aaaaaaaaaa/aaaaaaaaaa.html"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019954 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 4b 03 04 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019955 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:to_server,established; content:"POST"; http_method; content:"allow_url_include"; http_uri; content:"safe_mode"; http_uri; content:"php|3a 2f 2f|input"; http_raw_uri; content:"<?php"; fast_pattern:only; http_client_body; content:"chmod 777"; http_client_body; classtype:attempted-user; sid:2019957; rev:2;) Parser failed - skipping rule \/dmp\/api\/[a-z]+$ uricontent:"/dmp/api/a"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|UAC/"; http_header; content:"|28|Android|20|"; distance:0; http_header; content:"dmp."; http_header; uricontent:"/dmp/api/a"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019958; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|UAC/"; http_header; content:"|28|Android|20|"; distance:0; http_header; content:"name=|22|softwareVersion|22|"; nocase; http_client_body; content:"name=|22|isEnc|22|"; nocase; distance:0; http_client_body; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019959; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019960 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 55 41 43 2f 28 41 6e 64 72 6f 69 64 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019961 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 36 2e 30 0d 0a 20 74 20 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019962 Protocol Not Supported type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2019963 -------- Hex Payload Start ---------- 41 63 63 65 70 74 3a 20 61 63 75 6e 65 74 69 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019964 -------- Hex Payload Start ---------- 24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FinancialStatement Keylogger POSTing keystrokes"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/log/index.php"; http_uri; fast_pattern:only; content:"text="; depth:5; http_client_body; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,techhelplist.com/index.php/spam-list/695-financial-statement-malware; classtype:trojan-activity; sid:2019965; rev:2;) Parser failed - skipping rule type limit, track by_src, seconds 60, count 1 |---------------------| Building Rule: 2019966 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- \.swf\?myid=[a-zA-Z0-9]+$ uricontent:".swf?myid=a"; |---------------------| Building Rule: 2019967 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019968 -------- Hex Payload Start ---------- 0d 0a 0d 0a 69 b8 3c 09 08 6c b1 4c --------- Hex Payload End ----------- |---------------------| Building Rule: 2019969 -------- Hex Payload Start ---------- 0d 0a 0d 0a 28 46 c5 83 df ef a3 2a --------- Hex Payload End ----------- ^[^\x2f\x22]+?\x22> content:"#">"; |---------------------| Building Rule: 2019970 -------- Hex Payload Start ---------- 3c 62 72 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 20 75 72 6c 3d 20 00 22 3e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP W32/DownloadGuide.D"; flow:established,to_server; content:"POST"; http_method; content:"/config-from-production"; http_uri; content:"{|22|os|22 3A 22|"; http_client_body; depth:7; content:"|22|lang|22 3A 22|"; http_client_body; distance:0; content:"|22|uid|22 3A 22|"; http_client_body; distance:0; content:"|22|prod|22 3A 22|"; http_client_body; distance:0; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; classtype:trojan-activity; sid:2019974; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2019975 -------- Hex Payload Start ---------- 53 75 62 6a 65 63 74 3a 20 72 65 70 6f 0d 0a 20 66 69 6c 65 6e 61 6d 65 3d 22 6d 78 74 64 22 --------- Hex Payload End ----------- \/s?stat\/lldvs?\.php$ uricontent:"/stat/lldv.php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; uricontent:"/stat/lldv.php"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2019978 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019979 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 72 32 62 76 33 75 36 34 79 74 66 69 32 73 73 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019980 -------- Hex Payload Start ---------- 47 45 54 20 48 6f 73 74 3a 20 6d 79 65 78 74 65 72 6e 61 6c 69 70 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2019981 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 6f 72 70 6f 76 69 64 65 72 03 6f 72 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019982 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 77 61 79 32 74 6f 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019983 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 6f 72 67 61 74 65 77 61 79 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019984 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 79 6d 6c 65 79 64 34 78 73 33 69 74 35 35 6d 37 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2019987 Protocol Not Supported |---------------------| Building Rule: 2019988 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 69 32 70 00 --------- Hex Payload End ----------- \/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$ Parser failed - skipping rule \/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$ Parser failed - skipping rule \/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$ Parser failed - skipping rule |---------------------| Building Rule: 2019992 -------- Hex Payload Start ---------- 0d 0a 0d 0a 41 ad 58 53 4c 7f 25 9e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019993 -------- Hex Payload Start ---------- 0d 0a 0d 0a b8 67 f0 44 43 1e fe 5b --------- Hex Payload End ----------- |---------------------| Building Rule: 2019994 -------- Hex Payload Start ---------- c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019995 -------- Hex Payload Start ---------- 0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2019996 -------- Hex Payload Start ---------- d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019997 -------- Hex Payload Start ---------- 17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47 --------- Hex Payload End ----------- |---------------------| Building Rule: 2019998 -------- Hex Payload Start ---------- 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f --------- Hex Payload End ----------- |---------------------| Building Rule: 2019999 -------- Hex Payload Start ---------- 15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020000 -------- Hex Payload Start ---------- 09 22 33 30 28 35 2c --------- Hex Payload End ----------- |---------------------| Building Rule: 2020001 -------- Hex Payload Start ---------- 13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020002 -------- Hex Payload Start ---------- 43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020003 -------- Hex Payload Start ---------- 43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020004 -------- Hex Payload Start ---------- d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be --------- Hex Payload End ----------- |---------------------| Building Rule: 2020005 -------- Hex Payload Start ---------- 17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020006 -------- Hex Payload Start ---------- 0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020007 -------- Hex Payload Start ---------- 60 db 37 37 37 37 37 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020008 -------- Hex Payload Start ---------- 60 db 37 37 37 37 37 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020009 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4c 4c 20 20 20 20 75 14 2a 2a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020010 -------- Hex Payload Start ---------- 8a 10 80 c2 67 80 f2 24 88 10 20 8a 10 80 f2 24 80 ea 67 88 10 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020011 -------- Hex Payload Start ---------- 65 db 37 37 37 37 37 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020012 -------- Hex Payload Start ---------- 65 db 37 37 37 37 37 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020013 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7b 08 2a 2a 08 2a 2a 01 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020014 -------- Hex Payload Start ---------- 8a 10 80 ea 62 80 f2 b4 88 10 20 8a 10 80 f2 b4 80 c2 62 88 10 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020015 -------- Hex Payload Start ---------- 8a 10 80 c2 4e 80 f2 79 88 10 20 8a 10 80 f2 79 80 ea 4e 88 10 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020016 -------- Hex Payload Start ---------- 53 6c 65 65 70 79 21 40 23 71 61 7a 31 33 34 30 32 73 63 76 73 64 65 38 39 30 20 42 43 34 33 35 40 50 52 4f 36 32 33 38 34 39 32 33 34 31 32 21 40 33 21 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020017 -------- Hex Payload Start ---------- 8a 10 80 c2 3a 80 f2 73 88 10 20 8a 10 80 f2 73 80 ea 3a 88 10 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020018 Error here depth! Error here within! -------- Hex Payload Start ---------- 31 20 e2 1d 49 49 20 20 20 20 49 49 49 49 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020019 -------- Hex Payload Start ---------- 82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020020 Error here depth! -------- Hex Payload Start ---------- 28 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 04 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020021 -------- Hex Payload Start ---------- 6a 72 65 37 75 36 31 77 69 6e 64 6f 77 73 2f 78 38 36 2f 55 70 64 61 74 65 2e 63 6c 61 73 73 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern:16,20; threshold:type both,track by_src,count 2,seconds 10; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2020024 Error here depth! -------- Hex Payload Start ---------- 08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00 20 00 00 00 --------- Hex Payload End ----------- ^[a-f0-9]+$ content:"a"; |---------------------| Building Rule: 2020025 -------- Hex Payload Start ---------- 62 65 73 74 70 6f 62 65 64 61 20 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- type both, track by_src, count 1, seconds 120 |---------------------| Building Rule: 2020026 -------- Hex Payload Start ---------- 09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^[a-zA-Z0-9=/&?\x2e-]+$ uricontent:"a"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1"; flow:established,to_server; content:"GET"; http_method; urilen:>100; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; content:"Accept|3a 20 2a 2f 2a 0d 0a 0d 0a|"; fast_pattern:only; uricontent:"a"; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a\x20\x2a\x2f\x2a\r\n(?:\r\n)?$/Hmi"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hmi"; flowbits:set,ET.Anunanak.HTTP.1; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020027; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1"; flow:established,from_server; content:"Content-Length|3a 20|11|0d 0a|"; http_header; file_data; content:"no commands"; fast_pattern:only; flowbits:isset,ET.Anunanak.HTTP.1; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020028; rev:2;) Parser failed - skipping rule ^[a-zA-Z0-9=/&?\x2e-]+$ uricontent:"a"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:>100; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern:only; uricontent:"a"; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{4}\r\nContent-Type\x3a\x20application\/x-www-form-urlencoded\r\n(?:\r\n)?$/Hmi"; flowbits:set,ET.Anunanak.HTTP.2; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020029; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2"; flow:established,from_server; content:"Content-Length|3a 20|9|0d 0a|"; http_header; file_data; content:"no result"; fast_pattern:only; flowbits:isset,ET.Anunanak.HTTP.2; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020030; rev:2;) Parser failed - skipping rule \.txt\?dummy=\d+$ uricontent:".txt?dummy=0"; |---------------------| Building Rule: 2020031 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- \.exe\?dummy=\d+$ uricontent:".exe?dummy=0"; |---------------------| Building Rule: 2020032 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020033 Protocol Not Supported |---------------------| Building Rule: 2020034 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020035 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 67 72 65 61 74 2d 63 6f 64 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020036 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 61 64 67 75 61 72 64 04 6e 61 6d 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020037 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 63 6f 72 61 6c 2d 74 72 65 76 65 6c 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020038 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 64 64 6e 73 65 72 76 69 63 65 31 30 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020039 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 70 61 72 61 64 69 73 65 2d 70 6c 61 7a 61 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020040 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 77 6f 72 6c 64 6e 65 77 73 6f 6e 6c 69 6e 65 02 70 77 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020041 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 75 70 64 61 74 65 2d 6a 61 76 61 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020044 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 61 6c 6c 77 61 79 73 68 61 70 70 79 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020045 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 63 61 73 69 6e 6f 72 6f 79 61 6c 37 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020046 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 63 72 79 70 74 64 6f 6d 61 69 6e 02 64 70 02 75 61 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020047 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 64 65 61 64 77 61 6c 6b 33 32 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020048 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 64 6f 75 62 6c 65 63 6c 69 63 6b 61 64 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020049 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 69 74 2d 6e 65 77 73 62 6c 6f 67 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020050 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 6a 73 2d 73 74 61 74 69 63 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020051 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 6c 61 67 6f 73 61 64 76 65 6e 74 75 72 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020052 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 6c 65 62 61 6e 6f 6e 77 61 72 72 69 6f 72 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020053 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6e 69 67 65 72 69 61 6e 62 72 6f 74 68 65 72 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020054 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 6f 63 74 6f 62 65 72 70 69 63 73 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020055 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 70 72 69 6e 63 65 6f 66 6e 69 67 65 72 69 61 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020056 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 72 6f 79 61 6c 67 6f 75 72 70 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020057 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 73 65 72 76 65 72 33 38 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020058 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 73 73 6c 2d 73 65 72 76 65 72 32 34 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020059 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 74 77 65 65 74 65 72 70 6c 61 6e 65 74 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020060 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 74 77 65 65 74 65 72 2d 73 74 61 74 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020061 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 75 70 64 61 74 65 6d 79 68 6f 73 74 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020062 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 77 61 6c 6b 69 6e 67 64 65 61 64 33 32 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020063 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 77 6f 72 6c 64 6e 65 77 73 32 34 37 03 6e 65 74 00 --------- Hex Payload End ----------- ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n content:"0.0.0.0 "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020065 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 64 64 6e 73 65 72 76 69 63 65 31 31 02 72 75 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020066 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 66 69 6e 61 6e 63 69 61 6c 6e 65 77 73 6f 6e 6c 69 6e 65 02 70 77 00 --------- Hex Payload End ----------- ^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2) NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL Groupref NOT IMPL Groupref content:"#)To Ubound()#=+Cstr(Chr((i)+0))0Execute"; |---------------------| Building Rule: 2020067 -------- Hex Payload Start ---------- 46 6f 72 20 69 3d 4c 42 6f 75 6e 64 28 20 00 29 54 6f 20 55 62 6f 75 6e 64 28 29 00 3d 2b 43 73 74 72 28 43 68 72 28 28 69 29 2b 30 29 29 30 45 78 65 63 75 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020068 -------- Hex Payload Start ---------- 45 78 70 69 72 65 73 3a 20 53 61 74 2c 20 32 36 20 4a 75 6c 20 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 53 61 74 2c 20 32 36 20 4a 75 6c 20 32 30 33 39 20 --------- Hex Payload End ----------- type limit, track by_src, seconds 60, count 1 |---------------------| Building Rule: 2020069 -------- Hex Payload Start ---------- 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020070 -------- Hex Payload Start ---------- 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 65 74 55 52 4c 2f 31 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020071 -------- Hex Payload Start ---------- 0d 0a 0d 0a 82 67 9f c3 f1 71 70 fc --------- Hex Payload End ----------- |---------------------| Building Rule: 2020072 -------- Hex Payload Start ---------- 0d 0a 0d 0a 04 6e 76 82 2e 2c 2c 48 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020075 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Andromeda Checkin Dec 29 2014"; flow:established,to_server; content:"POST"; nocase; http_method; content:"EPF#"; depth:4; fast_pattern; http_client_body; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; content:"Connection|3a 20|close|0d 0a|"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:trojan-activity; sid:2020076; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020077 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3a 20 74 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020078 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 0d 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020079 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[0-9A-F]{12}$ content:"000000000000"; |---------------------| Building Rule: 2020081 -------- Hex Payload Start ---------- 01 00 00 00 0c 00 00 00 20 30 30 30 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- ^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[ NOT IMPL Groupref NOT IMPL Groupref content:"("#","if(!='"){#=["; |---------------------| Building Rule: 2020082 -------- Hex Payload Start ---------- 2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e 20 46 75 6e 63 74 69 6f 6e 20 28 22 00 22 2c 22 69 66 28 21 3d 27 22 29 7b 00 3d 5b --------- Hex Payload End ----------- \.php\?id=\d{30}\w{6}-\d{2}-\d{3}-\d{9}$ uricontent:".php?id=000000000000000000000000000000AAAAAA-00-000-000000000"; |---------------------| Building Rule: 2020083 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020084 -------- Hex Payload Start ---------- 57 69 6e 64 6f 77 73 20 50 6f 77 65 72 53 68 65 6c 6c 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020085 -------- Hex Payload Start ---------- 57 69 6e 64 6f 77 73 20 53 63 72 69 70 74 20 48 6f 73 74 20 56 65 72 73 69 6f 6e 43 6f 70 79 72 69 67 68 74 20 28 43 29 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020086 -------- Hex Payload Start ---------- 77 6d 69 63 3a 72 6f 6f 74 5c 63 6c 69 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020087 -------- Hex Payload Start ---------- 6e 65 74 73 68 20 66 69 72 65 77 61 6c 6c 22 20 69 73 20 64 65 70 72 65 63 61 74 65 64 3b 75 73 65 20 22 6e 65 74 73 68 20 61 64 76 66 69 72 65 77 61 6c 6c 4f 6b 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020088 -------- Hex Payload Start ---------- 53 45 52 56 49 43 45 5f 4e 41 4d 45 3a 54 59 50 45 53 45 52 56 49 43 45 5f 45 58 49 54 5f 43 4f 44 45 --------- Hex Payload End ----------- \.php\?command=(g(hl|et(ip|id|backconnect))|update2)($|&) uricontent:".php?command=ghl"; |---------------------| Building Rule: 2020089 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 62 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020090 -------- Hex Payload Start ---------- 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020091 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2020092 -------- Hex Payload Start ---------- 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020093 -------- Hex Payload Start ---------- 32 31 32 33 32 66 32 39 37 61 35 37 61 35 61 37 34 33 38 39 34 61 30 65 34 61 38 30 31 66 63 33 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Neutrino CC dump"; flow:to_server,established; content:"POST"; http_method; content:"dumpgrab="; http_client_body; fast_pattern:only; content:"track_type="; http_client_body; content:"track_data="; http_client_body; content:"process_name="; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020094; rev:2;) Parser failed - skipping rule \.png$ uricontent:".png"; |---------------------| Building Rule: 2020095 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 74 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020096 -------- Hex Payload Start ---------- 63 50 61 6e 65 6c 20 43 72 61 63 6b 65 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker"; flow:established,to_server; content:"user=CRACKER"; http_client_body; classtype:trojan-activity; sid:2020097; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020099 -------- Hex Payload Start ---------- 65 78 65 63 43 6f 6d 6d 61 6e 64 20 59 4d 6a 66 20 75 30 63 30 38 20 75 30 63 30 63 4b 44 6f 67 --------- Hex Payload End ----------- ^[0-9][^=] content:"0#"; |---------------------| Building Rule: 2020100 -------- Hex Payload Start ---------- 43 6f 6f 6b 69 65 3a 20 43 20 30 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020101 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 52 6f 6d 50 61 67 65 72 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"<?"; http_client_body; content:"system|28|"; http_client_body; distance:0; classtype:web-application-attack; sid:2020102; rev:4;) Parser failed - skipping rule ^(?=[A-Z0-9]*?[a-z])(?=[a-z0-9]*?[A-Z])[A-Za-z0-9]+\x2a\x2f[^\n]*?Function\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28\s*?(?P=var1)\s*[=!]{2}\s*?[\x27\x22][\x22\x27]\s*?\x29\s*?\{ Parser failed - skipping rule |---------------------| Building Rule: 2020104 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020107 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 62 6c 61 64 65 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020108 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 62 6f 6e 79 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020109 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 62 6f 72 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020110 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 62 72 6f 77 73 65 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020111 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 64 6f 6f 72 32 74 6f 72 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020112 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 65 6e 74 65 72 32 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020113 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 6a 61 6d 61 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020114 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 6f 6e 69 6f 6e 32 77 65 62 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020115 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6f 6e 69 6f 6e 02 6c 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020116 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6f 6e 69 6f 6e 02 74 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020117 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 70 61 79 32 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020118 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 70 61 79 34 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020119 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 61 79 72 6f 62 6f 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020120 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 70 6f 6c 74 6f 72 6e 69 6b 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020121 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 73 6c 61 76 65 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020122 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 61 6e 6b 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020123 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 32 70 61 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020124 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 32 77 77 77 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020125 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 74 6f 72 34 6c 69 66 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020126 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 34 70 61 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020127 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 6f 72 61 6c 70 61 63 68 6f 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020128 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 62 61 6d 61 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020129 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 63 68 65 6b 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020130 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 74 6f 72 65 78 70 6c 6f 72 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020131 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 6f 72 66 6f 72 6c 6f 76 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020132 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 74 6f 72 6a 61 6d 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020133 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 6f 72 6d 69 6e 61 74 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020134 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 74 6f 72 70 61 63 68 6f 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020135 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 6f 72 70 61 79 63 61 73 68 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020136 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 74 6f 72 70 61 79 63 6e 66 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020137 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 74 6f 72 70 61 79 65 75 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020138 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 74 6f 72 70 61 79 75 73 64 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020139 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 74 6f 72 70 72 69 76 61 74 65 62 72 6f 77 73 69 6e 67 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020140 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 74 6f 72 73 61 6e 63 74 69 6f 6e 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020141 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 73 6f 6e 61 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020142 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 74 6f 72 76 73 75 73 64 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020143 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 77 69 6c 64 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020144 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 74 6f 72 77 69 6e 6e 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020145 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 6f 74 6f 72 74 6f 77 65 62 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020146 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 76 74 6f 72 63 68 69 6b 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020147 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 77 61 6c 74 65 72 77 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- ^\/[^\x2f]+\/pops[a-z]?\.php$ uricontent:"/#/pops.php"; |---------------------| Building Rule: 2020148 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020149 Protocol Not Supported |---------------------| Building Rule: 2020150 -------- Hex Payload Start ---------- 00 00 00 00 00 00 00 00 00 00 32 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020151 -------- Hex Payload Start ---------- 00 00 00 00 00 00 00 00 00 00 64 32 --------- Hex Payload End ----------- ^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d content:"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa}"; |---------------------| Building Rule: 2020152 -------- Hex Payload Start ---------- 00 00 00 02 00 00 00 00 00 00 32 32 7b 20 61 61 61 61 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 61 61 61 61 61 61 61 61 7d --------- Hex Payload End ----------- ^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d content:"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa}"; |---------------------| Building Rule: 2020153 -------- Hex Payload Start ---------- 00 00 00 02 00 00 00 00 00 00 64 32 7b 20 61 61 61 61 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 2d 61 61 61 61 61 61 61 61 61 61 61 61 7d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020154 -------- Hex Payload Start ---------- e8 03 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020155 -------- Hex Payload Start ---------- e8 03 00 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Emotet.C Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:1; content:"MASE|0d 0a|"; http_header; content:"name=|22|c1|22 0d 0a 0d 0a|c"; http_client_body; reference:md5,37d530ffa0bf1129f2db63b75fccce28; classtype:trojan-activity; sid:2020156; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2020157 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 20 20 20 2e 20 74 --------- Hex Payload End ----------- ^[A-F0-9]{48}\.bin\r\n content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.bin "; |---------------------| Building Rule: Protocol Not Supported \d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"0.js?aaaaaaa=#.js"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; uricontent:"0.js?aaaaaaa=#.js"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2020160 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 2e 7a 69 70 20 3b 0d 0a 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 24 63 74 79 70 65 0d 0a 20 0d 0a 0d 0a 50 4b 03 04 --------- Hex Payload End ----------- ^\s*?\w+\s*?=\s*?[\x22\x27]UEsDB content:"A="UEsDB"; |---------------------| Building Rule: 2020161 -------- Hex Payload Start ---------- 55 45 73 44 42 20 76 61 72 20 41 3d 22 55 45 73 44 42 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020162 -------- Hex Payload Start ---------- 4a 55 4e 4b 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020163 -------- Hex Payload Start ---------- 47 45 54 4c 4f 43 41 4c 49 50 20 --------- Hex Payload End ----------- ^(?:ON|OFF) content:""; |---------------------| Building Rule: 2020164 -------- Hex Payload Start ---------- 53 43 41 4e 4e 45 52 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020165 -------- Hex Payload Start ---------- 4b 49 4c 4c 41 54 54 4b 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020166 -------- Hex Payload Start ---------- 4c 4f 4c 4e 4f 47 54 46 4f 20 --------- Hex Payload End ----------- type both, count 1, seconds 10, track by_src |---------------------| Building Rule: 2020167 -------- Hex Payload Start ---------- 1b 5d 30 3b 42 6f 74 73 20 63 6f 6e 6e 65 63 74 65 64 3a 20 7c 20 43 6c 69 65 6e 74 73 20 63 6f 6e 6e 65 63 74 65 64 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020168 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 74 32 75 70 69 6f 6b 75 61 33 37 77 71 32 63 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020169 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 bb 4e 4e bc bc bc 7e 7e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020170 -------- Hex Payload Start ---------- 77 69 6e 64 6f 77 73 2f 6d 65 74 65 72 70 72 65 74 65 72 2f 72 65 76 65 72 73 65 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2020171 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 61 6f 65 6d 76 70 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020172 -------- Hex Payload Start ---------- 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 34 0d 0a 20 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 43 45 52 54 2e 50 4c --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|msuta64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020173; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020174; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020175; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020176; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020177; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020178; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020179 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 69 76 65 73 74 0d 0a --------- Hex Payload End ----------- ^\s*?(?P<var1>[^\x29]+)\x29[^\n]*?=\s*?(?P=var1)\s*?\x7c{2}\s*?\d+?\s*?\x2c NOT IMPL Groupref content:"#)=||0,"; |---------------------| Building Rule: 2020180 -------- Hex Payload Start ---------- 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a 24 2c 20 00 29 3d 30 2c --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020182 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 70 61 79 74 6f 63 34 67 74 70 6e 35 63 7a 6c 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020183 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 74 6f 72 66 6f 72 61 6c 6c 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020184 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 72 6d 61 6e 32 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020185 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 74 6f 72 77 6f 6d 61 6e 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020186 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 74 6f 72 72 6f 61 64 73 74 65 72 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020187 Protocol Not Supported ^\d+MHz\x00 content:"0MHz#"; |---------------------| Building Rule: 2020188 Error here within! -------- Hex Payload Start ---------- 00 00 00 00 20 2e 4d 48 7a 00 20 20 2a 20 20 30 4d 48 7a 00 20 4d 42 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020189 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 69 32 70 2d 6e 65 74 64 62 09 69 6e 6e 6f 76 61 74 69 6f 02 6e 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020190 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 69 32 70 04 6d 6f 6f 6f 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020191 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6e 65 74 64 62 04 69 32 70 32 02 6e 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020192 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 72 65 73 65 65 64 0b 69 32 70 2d 70 72 6f 6a 65 6b 74 02 64 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020193 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 75 6b 06 72 65 73 65 65 64 04 69 32 70 32 02 6e 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020194 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 75 73 06 72 65 73 65 65 64 04 69 32 70 32 02 6e 6f 00 --------- Hex Payload End ----------- ^\/changelog\/(?:appversion|changelog|help)$ uricontent:"/changelog/"; |---------------------| Building Rule: 2020195 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4a 61 76 61 2f 31 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020196 Protocol Not Supported |---------------------| Building Rule: 2020197 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\/(?:[a-z-]+\/)?update[^\x2f]+?\.php\?a= NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/update#.php?a="; |---------------------| Building Rule: 2020203 -------- Hex Payload Start ---------- 47 45 54 20 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 20 50 72 6f 78 79 2d 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020204 -------- Hex Payload Start ---------- 0d 0a 0d 0a 31 90 49 ae c8 2b 73 75 --------- Hex Payload End ----------- ^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var) NOT IMPL Groupref content:"00aaaa00##U##00"; |---------------------| Building Rule: 2020205 Protocol Not Supported |---------------------| Building Rule: 2020206 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 71 74 72 75 64 72 75 6b 6d 75 72 70 73 37 74 63 --------- Hex Payload End ----------- ^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c content:"start){for(var #=start||0,"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 19 2014"; flow:established,from_server; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern:only; content:"|24 2c|"; content:"start){for(var #=start||0,"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:trojan-activity; sid:2020207; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2020209 Error here within! -------- Hex Payload Start ---------- 57 69 6e 64 6f 77 73 20 20 4d 48 5a 00 00 57 69 6e 20 20 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020210 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 74 7a 73 76 65 6a 72 7a 64 75 6f 35 32 73 69 79 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020211 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6f 6e 69 6f 6e 02 67 71 00 --------- Hex Payload End ----------- \d\.js\?get_message(?:=-?\d+?)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"0.js?get_message"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; uricontent:"0.js?get_message"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2020213 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 37 6e 34 70 35 6f 36 76 6c 6b 64 69 71 69 65 65 --------- Hex Payload End ----------- [^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15 content:"## #"; |---------------------| Building Rule: 2020215 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 15 15 20 15 20 20 15 15 20 15 20 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 20 00 00 20 15 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020216 Protocol Not Supported |---------------------| Building Rule: 2020217 Protocol Not Supported |---------------------| Building Rule: 2020218 Protocol Not Supported |---------------------| Building Rule: 2020219 Protocol Not Supported ^.{4}[\x20-\x7e]{5}.{4}\x96\x71 content:"0000 0000q"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44"; flow:to_server,established; dsize:>11; content:"|96 71|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:"0000 0000q"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a09c176351398922770153bdd54c594; classtype:trojan-activity; sid:2020214; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2020220 Protocol Not Supported ^[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))) uricontent:""; |---------------------| Building Rule: 2020221 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020222 -------- Hex Payload Start ---------- 4d 42 00 00 57 69 6e 64 6f 77 73 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020223 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:trojan-activity; sid:2020224; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020225 -------- Hex Payload Start ---------- 0d 0a 0d 0a 0b c7 6a 1e 7c c2 43 ea --------- Hex Payload End ----------- |---------------------| Building Rule: 2020226 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6f 68 6d 76 61 34 67 62 79 77 6f 6b 7a 71 73 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2020228 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 72 6f 78 79 31 2d 31 2d 31 03 69 32 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020229 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 72 6f 78 79 32 2d 32 2d 32 03 69 32 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020230 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 72 6f 78 79 33 2d 33 2d 33 03 69 32 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020231 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 72 6f 78 79 34 2d 34 2d 34 03 69 32 70 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020232 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 72 6f 78 79 35 2d 35 2d 35 03 69 32 70 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall CryptoWall 3.0 Check-in"; flow:established,to_server; content:"POST"; http_method; content:"http|3a 2f 2f|proxy"; depth:12; http_raw_uri; fast_pattern; content:"i2p|0d 0a|"; http_header; content:!"|0d 0a|Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020233; rev:2;) Parser failed - skipping rule ^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; uricontent:"/"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; classtype:trojan-activity; sid:2020234; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2020235 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 61 7a 69 6c 6c 61 2f --------- Hex Payload End ----------- ^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?, NOT IMPL Groupref content:""#".replace("","; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 21 2014"; flow:established,from_server; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; content:""#".replace("","; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:trojan-activity; sid:2020236; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020237 -------- Hex Payload Start ---------- 0d 0a 75 73 65 72 6e 61 6d 65 3d 22 62 69 6d 6d 2f 62 69 6d 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020238 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 6f 67 45 76 65 6e 74 73 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020239 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 56 65 72 73 69 6f 6e 44 77 6c 0d 0a --------- Hex Payload End ----------- type limit,track by_src,count 1,seconds 180 |---------------------| Building Rule: 2020240 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 20 42 6f 42 72 6f 77 73 65 72 2f --------- Hex Payload End ----------- \?uid=\d+&context=\w+&mode=text&data=\w+$ uricontent:"?uid=0&context=A&mode=text&data=A"; |---------------------| Building Rule: 2020241 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020242 Protocol Not Supported |---------------------| Building Rule: 2020243 Protocol Not Supported |---------------------| Building Rule: 2020244 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 61 70 70 6c 65 0b 64 79 6e 61 6d 69 63 2d 64 6e 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020245 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 61 75 74 6f 63 61 72 09 53 65 72 76 65 55 73 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020246 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 62 6c 61 63 6b 62 6c 6f 67 08 63 68 61 74 6e 6f 6f 6b 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020247 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 62 75 6c 6c 64 6f 67 03 74 6f 68 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020248 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 63 65 77 35 38 65 04 78 78 78 79 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020249 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 63 6f 61 73 74 6e 65 77 73 08 64 61 72 6b 74 65 63 68 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020250 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 64 65 6d 6f 6e 04 34 69 72 63 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020251 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 64 79 6e 61 6d 69 63 04 64 64 6e 73 04 6d 6f 62 69 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020252 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 65 78 70 65 72 74 04 34 69 72 63 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020253 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 66 6f 6f 74 62 61 6c 6c 07 6d 72 62 61 73 69 63 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020254 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 04 67 6a 6a 62 05 66 6c 6e 65 74 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020255 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 69 6d 69 72 6e 6f 76 04 64 64 6e 73 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020256 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 6a 69 6e 67 6e 61 6e 38 38 08 63 68 61 74 6e 6f 6f 6b 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020257 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 6c 65 68 6e 6a 62 04 65 70 61 63 02 74 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020258 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 6c 6f 67 6f 66 66 03 32 35 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020259 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 6c 6f 67 6f 66 66 04 64 64 6e 73 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020260 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 6c 73 39 31 30 33 32 39 04 6d 79 30 33 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020261 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 6d 61 69 6c 72 75 03 32 35 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020262 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 4d 61 72 6b 73 68 65 6c 6c 06 65 74 6f 77 6e 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020263 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 6d 79 64 65 61 72 04 64 64 6e 73 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020264 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 6e 61 7a 67 75 6c 04 7a 79 6e 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020265 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 6e 65 77 64 79 6e 64 6e 73 07 73 63 69 65 72 6f 6e 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020266 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 6e 65 77 6f 75 74 6c 6f 6f 6b 08 64 61 72 6b 74 65 63 68 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020267 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 70 68 6f 74 6f 63 61 72 64 04 34 69 72 63 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020268 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 70 72 69 63 65 74 61 67 08 64 65 61 66 74 6f 6e 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020269 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 72 75 62 62 65 72 64 75 63 6b 08 67 6f 74 67 65 65 6b 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020270 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 73 68 75 74 64 6f 77 6e 03 32 35 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020271 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 73 6f 72 72 79 03 6e 73 32 04 6e 61 6d 65 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020272 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 73 73 6b 69 6c 6c 04 62 30 6e 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020273 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 65 78 74 2d 46 69 72 73 74 05 66 6c 6e 65 74 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020274 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 75 75 64 6f 67 03 34 70 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020275 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 77 69 6c 6c 2d 73 6d 69 74 68 05 64 74 64 6e 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020276 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 6e 64 63 69 6e 66 6f 72 6d 61 74 69 6f 6e 07 61 63 6d 65 74 6f 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020277 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 73 65 72 76 69 63 65 0d 61 75 74 68 6f 72 69 7a 65 64 64 6e 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020278 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 65 78 74 2d 66 69 72 73 74 07 74 72 69 63 6b 69 70 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020279 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 79 65 6c 6c 6f 77 62 6c 6f 67 05 66 6c 6e 65 74 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020280 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 63 72 70 74 61 72 76 34 68 63 75 32 34 69 6a 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020281 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 63 72 70 74 62 66 6f 69 35 69 35 34 75 62 65 7a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020282 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 63 72 70 74 63 6a 37 77 64 34 6f 61 61 66 64 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2020284 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 74 6f 6c 6f 74 6f 72 03 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020285 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 62 6f 6c 74 6f 74 6f 72 03 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020286 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 62 6f 6e 79 74 6f 72 32 03 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020287 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 73 70 65 65 63 6f 73 74 6f 72 03 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020288 Protocol Not Supported |---------------------| Building Rule: 2020289 Protocol Not Supported ^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x55\x04\x07.{2}(?P=var) NOT IMPL Groupref content:"00aaaaaaaaaaaaaaaaaaaaaaaa00U##00"; |---------------------| Building Rule: 2020290 Protocol Not Supported ^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f Parser failed - skipping rule ^[a-zA-Z0-9]{12} content:"aaaaaaaaaaaa"; |---------------------| Building Rule: 2020292 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 63 72 70 74 20 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- \x26enckey\x3D[A-F0-9]+$ uricontent:"&enckey=A"; |---------------------| Building Rule: 2020293 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020294 Error here depth! -------- Hex Payload Start ---------- 20 41 63 63 65 70 74 3a 20 74 65 78 74 2f 2a 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 2a 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Scieron Retrieving Information"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/ip.txt"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020296; rev:2;) Parser failed - skipping rule ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$ NOT IMPL not _simple(av) in REPEATING CODES content:"system"; |---------------------| Building Rule: 2020297 -------- Hex Payload Start ---------- 0d 0a 0d 0a 73 79 73 74 65 6d 20 73 79 73 74 65 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020298 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 43 6c 69 65 6e 74 3b --------- Hex Payload End ----------- ^\/\d+$ uricontent:"/0"; |---------------------| Building Rule: 2020299 -------- Hex Payload Start ---------- 50 4f 53 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 48 54 43 6c 69 65 6e 74 3b 20 2e 20 74 --------- Hex Payload End ----------- ^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$ Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$ content:"0.0.0.0D:#"; |---------------------| Building Rule: 2020303 -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 44 3a 00 00 00 20 30 2e 30 2e 30 2e 30 44 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$ uricontent:"/js/jquery-0.00.00.js"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; uricontent:"/js/jquery-0.00.00.js"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020307 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020309 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 53 4d 42 00 7b 00 36 00 36 00 66 00 62 00 65 00 38 00 37 00 61 00 2d 00 34 00 33 00 37 00 32 00 2d 00 31 00 66 00 35 00 31 00 2d 00 31 00 30 00 31 00 64 00 2d 00 31 00 61 00 61 00 66 00 30 00 30 00 34 00 33 00 31 00 32 00 37 00 61 00 7d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020310 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 ff 53 4d 42 00 7b 00 34 00 34 00 66 00 64 00 67 00 32 00 33 00 61 00 2d 00 31 00 35 00 32 00 32 00 2d 00 36 00 66 00 39 00 65 00 2d 00 64 00 30 00 35 00 64 00 2d 00 31 00 61 00 61 00 66 00 30 00 31 00 37 00 36 00 31 00 33 00 38 00 61 00 7d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020313 Protocol Not Supported |---------------------| Building Rule: 2020314 Protocol Not Supported |---------------------| Building Rule: 2020315 -------- Hex Payload Start ---------- 3c 7c 50 52 49 4e 43 49 50 41 4c 7c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020316 -------- Hex Payload Start ---------- 3c 7c 4f 4b 7c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020317 -------- Hex Payload Start ---------- 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 20 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 20 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 20 0d 0a 0d 0a 50 4b 20 41 70 70 4d 61 6e 69 66 65 73 74 2e 78 61 6d 6c --------- Hex Payload End ----------- ^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W NOT IMPL not _simple(av) in REPEATING CODES content:"aaaaaaaaaaaaaa*/aaa!"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; content:"aaaaaaaaaaaaaa*/aaa!"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:trojan-activity; sid:2020318; rev:8;) Parser failed - skipping rule ^[A-Za-z]{3,5} content:"AAA"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; content:"|0d 0a 0d 0a|"; content:" id=|22|"; distance:15; within:16; content:"AAA"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:trojan-activity; sid:2020319; rev:4;) Parser failed - skipping rule ^\s*?value\s*?=\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27] Parser failed - skipping rule ^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27] NOT IMPL not _simple(av) in REPEATING CODES content:"value="/a/""; |---------------------| Building Rule: 2020321 -------- Hex Payload Start ---------- 6e 61 6d 65 3d 22 6d 6f 76 69 65 22 20 76 61 6c 75 65 3d 22 2f 61 2f 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020322 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020324 -------- Hex Payload Start ---------- 6f 6e 69 6f 6e 32 77 65 62 5f 63 6f 6e 66 69 72 6d 65 64 3d 20 6f 6e 69 6f 6e 32 77 65 62 5f 63 6f 6e 66 69 72 6d 65 64 3d --------- Hex Payload End ----------- ^\s*?\d[\d\x2e]{255} content:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2020325 -------- Hex Payload Start ---------- 48 45 4c 4f 20 20 2e 20 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- ^\s*?\d[\d\x2e]{255} content:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2020326 -------- Hex Payload Start ---------- 45 48 4c 4f 20 20 2e 20 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \/js\/bin\.exe\?=\d+$ uricontent:"/js/bin.exe?=0"; |---------------------| Building Rule: 2020328 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020329 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 65 6e 64 20 4d 61 69 6c 0d 0a 20 3a --------- Hex Payload End ----------- ^\/action\.php\?action=get_(?:mails|red)$ uricontent:"/action.php?action=get_"; |---------------------| Building Rule: 2020330 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 65 6e 64 20 4d 61 69 6c 0d 0a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020331 Protocol Not Supported |---------------------| Building Rule: 2020332 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 53 69 67 6e 20 69 6e 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- \/data_updater\.dat$ uricontent:"/data_updater.dat"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.PYO Retrieving Update"; flow:established,to_server; content:"GET"; http_method; content:"/data_updater.dat"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; uricontent:"/data_updater.dat"; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020333; rev:2;) Parser failed - skipping rule \/data\.cfg$ uricontent:"/data.cfg"; |---------------------| Building Rule: 2020334 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- ^\d+\n content:"0 "; |---------------------| Building Rule: Protocol Not Supported ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$ content:"0.0.0.0:0/stat## "; |---------------------| Building Rule: 2020336 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 6e 65 74 2e 74 63 70 3a 2f 2f 20 30 2e 30 2e 30 2e 30 3a 30 2f 73 74 61 74 03 08 0c 20 2f 73 74 61 74 03 08 0c --------- Hex Payload End ----------- ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$ content:"0.0.0.0:0/control## "; |---------------------| Building Rule: 2020337 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 6e 65 74 2e 74 63 70 3a 2f 2f 20 30 2e 30 2e 30 2e 30 3a 30 2f 63 6f 6e 74 72 6f 6c 03 08 0c 20 2f 63 6f 6e 74 72 6f 6c 03 08 0c --------- Hex Payload End ----------- type limit, count 1, seconds 60, track by_src |---------------------| Building Rule: 2020338 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 50 53 63 61 6e 20 76 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \/bn_versions\/\d+?\.exe$ uricontent:"/bn_versions/0.exe"; |---------------------| Building Rule: 2020341 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- ^[A-Za-z]{3,5} content:"AAA"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 01 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; content:" id=|22|"; content:"AAA"; content:"|22| style=|22|display|3a|none|22| title="; within:29; fast_pattern:9,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:trojan-activity; sid:2020342; rev:5;) Parser failed - skipping rule \/contacts$ uricontent:"/contacts"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/contacts"; http_uri; content:"User-Agent|3a| Apache-HttpClient/"; http_header; content:"contact|25|26="; depth:11; fast_pattern; http_client_body; uricontent:"/contacts"; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020344 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 4c 49 5a 45 52 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020346 -------- Hex Payload Start ---------- 2f 59 61 62 72 6f 64 2e 70 64 66 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 6e 31 0d 0a 20 2e 20 74 --------- Hex Payload End ----------- \/ok\.txt$ uricontent:"/ok.txt"; |---------------------| Building Rule: 2020348 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 48 6f 74 6b 65 79 20 2e 20 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020349 -------- Hex Payload Start ---------- 0d 0a 0d 0a 53 65 72 76 65 72 5f 6f 6b --------- Hex Payload End ----------- \/app\.exe$ uricontent:"/app.exe"; |---------------------| Building Rule: 2020350 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 67 65 74 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020351 -------- Hex Payload Start ---------- 3c 6e 6f 2d 72 65 70 6c 61 79 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 52 6f 75 6e 64 63 75 62 65 --------- Hex Payload End ----------- ^[A-Za-z]{3,5} content:"AAA"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; content:" id=|22|"; content:"AAA"; content:"|22| style=|22|visibility|3a|hidden|22| title="; within:34; fast_pattern:14,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:trojan-activity; sid:2020352; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2020353 -------- Hex Payload Start ---------- 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^\s*?[\x22\x27][A-Za-z]{3,10}[\x22\x27] content:""AAA""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"</script></head>|0d 0a|<body>"; fast_pattern:2,20; content:" id="; content:""AAA""; content:" title="; content:!"<"; within:100; pcre:"/^\s*?[\x22\x27](?=[A-Z]{0,19}[a-z]{1,19}[A-Z])[a-zA-Z]{14,20}[\x22\x27][^<>]*?>(?=[A-Za-z]{0,99}\d)[A-Za-z0-9\x20]{100}/R"; classtype:trojan-activity; sid:2020354; rev:9;) Parser failed - skipping rule |---------------------| Building Rule: 2020357 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 73 67 71 6a 6d 6c 33 64 73 74 67 6d 61 72 6e 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020358 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 33 66 64 7a 67 74 61 6d 34 71 6b 36 32 35 6e 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020359 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 72 6d 78 6c 71 61 62 6d 76 66 6e 77 34 77 70 34 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020360 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6a 73 73 65 73 74 61 65 77 33 65 37 61 6f 33 71 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020361 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 66 69 7a 78 66 73 69 33 63 61 64 33 6b 6e 37 76 --------- Hex Payload End ----------- ^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}= uricontent:"/?aa="; |---------------------| Building Rule: 2020363 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 58 41 67 65 6e 74 2f 31 2e 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020364 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 58 41 67 65 6e 74 2f 31 2e --------- Hex Payload End ----------- ^\W content:""; |---------------------| Building Rule: 2020365 -------- Hex Payload Start ---------- 45 6c 69 6e 6f 72 20 21 --------- Hex Payload End ----------- ^\W content:""; |---------------------| Building Rule: 2020366 -------- Hex Payload Start ---------- 44 61 73 68 77 6f 6f 64 20 21 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020367 -------- Hex Payload Start ---------- 76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FancyBox Remote Code Inclusion POST Request"; flow:to_server,established; content:"POST"; http_method; content:"/admin-post.php?page=fancybox-for-wordpress"; http_uri; fast_pattern:only; content:"INPUTBODY|3a|"; http_client_body; content:"action=update"; http_client_body; content:"mfbfw"; http_client_body; content:"extraCalls"; http_client_body; nocase; reference:url,blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html; classtype:attempted-admin; sid:2020368; rev:5;) Parser failed - skipping rule ^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$ uricontent:"/00aa/#/0/0/0/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:6; http_uri; content:"/"; distance:1; within:2; http_uri; content:"/"; distance:1; within:1; http_uri; content:"/"; distance:1; within:1; http_uri; uricontent:"/00aa/#/0/0/0/"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/Hmi"; content:" HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; classtype:trojan-activity; sid:2020369; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported ^.{4}[\x20-\x7e]{5}.{4}\x7a\x9a content:"0000 0000z"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:13; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; content:"0000 0000z"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,eb7909105fd05064b14a21465742952c; classtype:trojan-activity; sid:2020371; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020372 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible DEEP PANDA C2 Activity"; flow:established,to_server; content:"User-Agent|3a|Mozilla/4.0+(compatible|3b|+MSIE+8.0|3b|+Windows+NT+5.1|3b|+SV1|29 0d 0a|"; fast_pattern:39,20; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:"|00 00 00 00 00|"; http_client_body; classtype:trojan-activity; sid:2020373; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2020374 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 74 6f 72 70 61 79 73 6f 6c 75 74 69 6f 6e 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020375 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 74 6f 72 70 61 79 6f 70 74 69 6f 6e 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020376 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 74 6f 72 69 6e 76 65 73 74 6d 65 6e 74 32 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020377 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 74 6f 72 77 69 6c 6c 73 6d 69 74 68 03 63 6f 6d 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible HTTP POST Deep Panda C2 Activity"; flow:established,to_server; content:"POST"; http_method; content:".asp?cstring="; http_uri; fast_pattern:only; content:"&tom="; http_uri; content:"&id="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"|00 00 00 00|"; depth:4; http_client_body; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020378; rev:2;) Parser failed - skipping rule \.jpg\?id=\d+$ uricontent:".jpg?id=0"; |---------------------| Building Rule: 2020379 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020380 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 3b 20 53 4c 43 43 32 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 3b 20 2e 4e 45 54 20 43 4c 52 20 33 2e 35 2e 33 30 37 32 39 3b 20 2e 4e 45 54 20 43 4c 52 20 33 2e 30 2e 33 30 37 32 39 3b 20 4d 65 64 69 61 20 43 65 6e 74 65 72 20 50 43 20 36 2e 30 29 0d 0a 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020381 -------- Hex Payload Start ---------- 42 42 32 46 41 33 36 41 41 41 39 35 34 31 46 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020382 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 fe 53 4d 42 40 16 00 20 20 20 20 20 20 20 20 6d 00 73 00 75 00 74 00 61 00 36 00 34 00 2e 00 64 00 6c 00 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2020383 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 fe 53 4d 42 40 12 00 20 20 20 20 20 20 20 20 6f 00 6c 00 65 00 36 00 34 00 2e 00 64 00 6c 00 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2020384 Error here depth! Error here within! -------- Hex Payload Start ---------- 20 20 20 20 fe 53 4d 42 40 0e 00 20 20 20 20 20 20 20 20 6f 00 6c 00 65 00 2e 00 64 00 6c 00 6c --------- Hex Payload End ----------- \.rar\.exe$ uricontent:".rar.exe"; |---------------------| Building Rule: 2020386 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2020387 -------- Hex Payload Start ---------- 0d 0a 0d 0a c1 e4 07 2f 13 ad 23 2e --------- Hex Payload End ----------- ^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$ uricontent:"/"; |---------------------| Building Rule: 2020388 -------- Hex Payload Start ---------- 3a 20 2e 20 57 69 6e 64 6f 77 73 20 4e 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 20 47 45 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020389 -------- Hex Payload Start ---------- 11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020390 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 6f 70 74 69 6f 6e 73 74 6f 72 70 61 79 32 32 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020391 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 62 61 6e 61 6e 61 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- \/main\.html$ uricontent:"/main.html"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern:only; uricontent:"/main.html"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:trojan-activity; sid:2020392; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2020395 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 6d 6f 6e 73 74 65 72 62 62 63 03 63 6f 6d 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern:only; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rovnix.J Checkin 2"; flow:established,to_server; content:"[0]|0d 0a|LP="; http_client_body; content:"|0a|VID="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; content:"POST"; http_method; reference:md5,9471e926eda81b4f797b6cfe273e4e79; classtype:trojan-activity; sid:2020396; rev:2;) Parser failed - skipping rule ^[a-f0-9] content:"a"; |---------------------| Building Rule: 2020397 Error here within! -------- Hex Payload Start ---------- 5c 75 30 30 31 20 61 20 6a 61 76 61 73 63 72 69 70 74 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020398 -------- Hex Payload Start ---------- 5c 75 30 30 32 30 6a 61 76 61 73 63 72 69 70 74 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020400 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 74 6f 73 74 6f 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020401 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 74 72 75 73 74 65 65 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020402 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 73 6f 6c 75 74 69 6f 6e 73 74 6f 70 61 79 74 6f 72 33 33 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020404 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6f 6e 69 6f 6e 02 61 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020405 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 62 61 74 6d 61 6e 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020406 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 64 6f 67 6f 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- ^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27] NOT IMPL Groupref NOT IMPL Groupref content:"A=navigator0userAgent0toLowerCase();0if(document0cookie#(#.indexOf("bot"#.indexOf("spider""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page M2"; flow:from_server,established; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; content:"A=navigator0userAgent0toLowerCase();0if(document0cookie#(#.indexOf("bot"#.indexOf("spider""; classtype:trojan-activity; sid:2020407; rev:5;) Parser failed - skipping rule \/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$ Parser failed - skipping rule \/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$ Parser failed - skipping rule |---------------------| Building Rule: 2020410 -------- Hex Payload Start ---------- 53 54 4f 52 20 48 61 77 6b 45 79 65 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2020411 -------- Hex Payload Start ---------- 53 54 4f 52 20 4c 6f 67 67 65 72 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2020412 -------- Hex Payload Start ---------- 53 54 4f 52 20 50 72 65 64 61 74 6f 72 5f 50 61 69 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020415 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2020416 -------- Hex Payload Start ---------- 0d 0a 0d 0a 49 32 50 73 75 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020417 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6d 61 6e 67 6f 37 75 33 72 69 76 74 77 78 79 37 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported \/(?:5[12]|6[0-3])\/0\/[A-Z]*$ uricontent:"//0/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Common URI Struct Feb 12 2015"; flow:established,to_server; content:"GET"; http_method; content:"/0/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; uricontent:"//0/"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:trojan-activity; sid:2020419; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020420 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Gulcrypt.B Downloading components"; flow:established,from_server; flowbits:isset,ET.Gulcrypt; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020421; rev:3;) Parser failed - skipping rule ^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100} NOT IMPL not _simple(av) in REPEATING CODES Parser failed - skipping rule |---------------------| Building Rule: 2020423 -------- Hex Payload Start ---------- 6c 52 58 64 6a 56 47 65 46 78 47 62 6c 68 32 55 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020424 -------- Hex Payload Start ---------- 5a 30 56 33 59 6c 68 58 52 73 78 57 5a 6f 4e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020425 -------- Hex Payload Start ---------- 47 64 31 4e 57 5a 34 56 45 62 73 56 47 61 54 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020426 -------- Hex Payload Start ---------- 43 5a 73 55 47 4c 72 78 79 59 73 45 47 4c 77 68 69 62 76 6c 47 64 6a 35 57 64 6d 68 43 62 68 5a 58 5a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020427 -------- Hex Payload Start ---------- 70 51 47 4c 6c 78 79 61 73 4d 47 4c 68 78 43 63 6f 34 32 62 70 52 33 59 75 56 6e 5a 6f 77 57 59 32 56 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020428 -------- Hex Payload Start ---------- 4b 6b 78 53 5a 73 73 47 4c 6a 78 53 59 73 41 48 4b 75 39 57 61 30 4e 6d 62 31 5a 47 4b 73 46 6d 64 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2020429 -------- Hex Payload Start ---------- 44 46 45 34 32 7a 2e 63 6c 61 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020430 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6f 6e 69 6f 6e 04 63 69 74 79 00 --------- Hex Payload End ----------- t=1?\d\/[0-3]?\d\/201\d [0-2]?\d\x3a[0-5]\d\x3a[0-5]\d [AP]M$ uricontent:"t=0/0/2010%200:00:00%20AM"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arid Viper APT Advtravel Campaign GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/sys/"; http_uri; fast_pattern; uricontent:"t=0/0/2010%200:00:00%20AM"; pcre:"/^\/sys\/(?:who|genid|data|upload|update)/U"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:attempted-admin; sid:2020431; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2020432 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 0d 0a 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Arid Viper APT Advtravel Campaign POST"; flow:to_server,established; content:"POST"; http_method; content:"/index.php/customer/do_it"; http_uri; content:"User-Agent|3a 20|Internet|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:"pn="; http_client_body; content:"&data="; http_client_body; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:attempted-admin; sid:2020433; rev:4;) Parser failed - skipping rule &user=\d+$ uricontent:"&user=0"; |---------------------| Building Rule: 2020434 -------- Hex Payload Start ---------- 47 45 54 20 20 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arid Viper APT Exfiltrating files"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"account="; depth:8; http_client_body; content:"&name="; http_client_body; content:"&folder="; http_client_body; fast_pattern:only; content:"&fname="; http_client_body; content:"&s="; http_client_body; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020435; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020437 -------- Hex Payload Start ---------- 47 45 54 20 20 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020438 -------- Hex Payload Start ---------- 47 45 54 20 20 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020439 -------- Hex Payload Start ---------- 20 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020440 -------- Hex Payload Start ---------- 20 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020441 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 4b 0d 0a 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020442 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6b 79 70 65 0d 0a 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020443 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 6b 79 70 65 65 0d 0a 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020444 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 70 73 74 63 6d 65 64 69 61 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020445 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 6d 69 78 65 64 77 6f 72 6b 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020446 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 61 68 6d 65 64 66 61 69 65 7a 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020447 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 66 6c 75 73 68 75 70 64 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020448 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 66 6c 75 73 68 75 70 61 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020449 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 69 6e 65 6c 74 64 72 69 76 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020450 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 6d 65 64 69 61 68 69 74 65 63 68 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020451 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 70 6c 6d 65 64 67 72 6f 75 70 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020452 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 61 64 76 74 72 61 76 65 6c 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020453 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 66 70 75 70 64 61 74 65 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020454 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 6c 69 6e 6b 73 69 73 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020436 -------- Hex Payload Start ---------- 47 45 54 20 20 0d 0a 52 45 4d 4f 54 45 5f 55 53 45 52 3a 20 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:trojan-activity; sid:2020455; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020456 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 00 00 4f 53 3a 20 2c 20 44 6f 6d 61 69 6e 3a 20 2c 20 55 73 65 72 3a 20 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020457 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 31 37 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 32 34 2e 30 2e 31 33 31 32 2e 35 37 20 53 61 66 61 72 69 2f 35 33 37 2e 31 37 0d 0a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020458 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 75 6b 7a 6f 37 33 7a 34 69 6e 7a 70 65 6e 6d 71 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020460 -------- Hex Payload Start ---------- 31 30 32 2c 31 31 37 2c 31 31 30 2c 39 39 2c 31 31 36 2c 31 30 35 2c 31 31 31 2c 31 31 30 2c 33 32 2c 31 31 34 2c 31 31 37 2c 31 31 30 2c 31 30 39 2c 31 31 37 2c 31 30 39 2c 39 37 2c 39 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020459 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 6c 69 6e 6b 65 64 69 6d 02 69 6e 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020472 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 69 77 6f 72 6b 2d 73 79 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020461 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 61 6e 64 72 6f 63 69 74 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020462 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 6c 69 70 74 6f 6e 61 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020464 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 6e 61 75 73 73 2d 6c 61 62 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020465 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 6e 69 63 65 2d 6d 6f 62 69 6c 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020466 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 66 61 63 65 62 6f 6f 6b 2d 65 6d 6f 74 69 63 6f 6e 73 09 62 69 74 62 6c 6f 67 6f 6f 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020467 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 61 62 75 68 6d 61 69 64 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020468 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 62 6c 6f 67 67 69 6e 67 2d 68 6f 73 74 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020469 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 74 76 67 61 74 65 05 72 6f 63 6b 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020471 -------- Hex Payload Start ---------- 50 4f 53 54 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 20 36 2e 30 3b 20 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Babar POST Request"; flow:established,to_server; content:"POST"; http_method; content:"/n.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; http_client_body; depth:3; content:"&Action="; http_client_body; distance:0; fast_pattern; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020474; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metasploit Framework Checking For Update"; flow:established,to_server; content:"POST"; http_method; urilen:13; content:"/updateserver"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|MSFX/"; http_header; content:!"Referer|3a 20|"; http_header; classtype:misc-activity; sid:2020475; rev:2;) Parser failed - skipping rule (?:\/[A-Z][a-z][A-Z][a-z][A-Z][a-z]|(?:b(?:m(?:nw|wn)|n(?:mw|wm)|w(?:mn|nm))|m(?:b(?:nw|wn)|n(?:bw|wb)|w(?:bn|nb))|n(?:b(?:mw|wm)|m(?:bw|wb)|w(?:bm|mb))|w(?:b(?:mn|nm)|m(?:bn|nb)|n(?:bm|mb))))\.jar$ uricontent:".jar"; |---------------------| Building Rule: 2020476 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020477 -------- Hex Payload Start ---------- 4a 61 76 61 2f 31 2e 20 3d 59 65 73 20 63 63 6b 5f 6c 61 73 74 74 69 6d 65 3d 20 63 63 6b 5f 63 6f 75 6e 74 3d --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020479 -------- Hex Payload Start ---------- 47 45 54 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020480 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 5f 49 6e 65 74 63 20 28 4d 6f 7a 69 6c 6c 61 29 0d 0a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020481 -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 34 33 36 66 36 63 36 63 36 35 36 33 37 34 34 37 36 31 37 32 36 32 36 31 36 37 36 35 32 38 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020482 -------- Hex Payload Start ---------- 0d 0a 0d 0a 35 33 36 38 36 35 36 63 36 63 34 35 37 38 36 35 36 33 37 35 37 34 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020483 -------- Hex Payload Start ---------- 0d 0a 0d 0a 25 35 33 25 36 38 25 36 35 25 36 63 25 36 63 25 34 35 25 37 38 25 36 35 25 36 33 25 37 35 25 37 34 25 36 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020484 -------- Hex Payload Start ---------- 0d 0a 0d 0a 3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020485 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020486 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020487 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; content:"dnsPrimary="; http_client_body; fast_pattern:only; content:"dnsSecondary="; http_client_body; content:"dnsDynamic="; http_client_body; content:"dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020489 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020490 -------- Hex Payload Start ---------- 47 45 54 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 0d 0a 20 74 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Bedep Connectivity Check (2)"; flow:established,to_server; content:"POST"; http_method; urilen:13; content:"/timezone/0/0"; http_uri; fast_pattern:only; content:"Host|3a 20|www.earthtools.org|0d 0a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/09/09/index.html; classtype:trojan-activity; sid:2020491; rev:7;) Parser failed - skipping rule |---------------------| Building Rule: 2020492 Protocol Not Supported |---------------------| Building Rule: 2020493 Protocol Not Supported |---------------------| Building Rule: 2020494 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 6c 6c 6c 6c 28 72 65 74 75 72 6e 20 62 6d 77 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2020495 -------- Hex Payload Start ---------- 2a 30 78 66 66 66 66 66 66 66 66 2a 20 2a 73 74 72 32 6c 6f 6e 67 2a 20 2a 6c 6f 6e 67 32 73 74 72 2a --------- Hex Payload End ----------- ^\/[a-z]{3}\?[A-F0-9]{8}$ uricontent:"/aaa?AAAAAAAA"; |---------------------| Building Rule: 2020496 -------- Hex Payload Start ---------- 47 45 54 20 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 20 2e 20 74 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020498 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 48 46 53 20 20 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 20 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50 20 41 44 4f 44 42 2e 53 74 72 65 61 6d 20 63 6d 64 2e 65 78 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020500 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 48 46 53 20 0d 0a 0d 0a 4d 5a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020501 -------- Hex Payload Start ---------- 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 6c 65 6e 67 74 68 3e 30 29 7b 3d 22 31 22 2b 22 31 22 3b 64 65 6c 65 74 65 2b 3d 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \/\?f$ uricontent:"/?f"; |---------------------| Building Rule: 2020505 -------- Hex Payload Start ---------- 20 20 20 74 20 2e 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020555 Error here within! -------- Hex Payload Start ---------- 3c 3f 70 68 70 0a 24 20 20 20 20 3d 20 73 74 72 5f 72 65 70 6c 61 63 65 28 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - POSTed"; flow:established,to_server; content:"<?php|0A|$"; http_client_body; content:"="; distance:4; within:2; http_client_body; content:" str_replace("; distance:0; http_client_body; classtype:trojan-activity; sid:2020556; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020557 -------- Hex Payload Start ---------- 69 6e 67 3a 20 69 64 65 6e 74 69 74 79 0d 0a 48 6f 73 74 3a 20 53 45 53 53 3d 3b 20 53 49 44 3d 3b 20 50 52 45 46 3d 3b 53 53 49 44 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020558 -------- Hex Payload Start ---------- 70 6c 75 67 69 6e 5f 70 64 66 5f 69 65 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020559 -------- Hex Payload Start ---------- 2e 69 74 65 6d 28 30 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 66 72 61 6d 65 5f 74 61 67 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020560 -------- Hex Payload Start ---------- 76 61 72 20 76 65 72 73 69 6f 6e 3b 76 61 72 20 61 78 3b 76 61 72 20 65 3b 74 72 79 7b 61 78 6f 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020561 -------- Hex Payload Start ---------- 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 2e 69 74 65 6d 28 30 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 66 6f 72 6d 5f 74 61 67 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2020562 -------- Hex Payload Start ---------- 72 65 74 75 72 6e 20 28 28 21 61 29 20 3f 20 27 78 2d 27 3a 20 61 29 20 2b 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2a 20 39 39 39 39 39 29 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2020563 -------- Hex Payload Start ---------- 43 68 72 28 43 49 6e 74 28 6e 73 28 69 29 29 20 58 6f 72 20 6e 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020564 Protocol Not Supported |---------------------| Building Rule: 2020565 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 63 6c 69 65 6e 74 2d 6c 62 07 64 72 6f 70 62 6f 78 03 63 6f 6d 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2020567 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Create - POST Structure"; flow:established,to_server; content:"POST"; http_method; content:"Fname="; http_client_body; depth:6; content:"&cmd="; http_client_body; classtype:trojan-activity; sid:2020572; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a 20|13|0d 0a|"; http_header; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"|00 04 00 00 00|"; offset:4; depth:5; http_client_body; content:!"|00 00 00 00|"; depth:4; http_client_body; reference:md5,e610d3c383a4f1c8a27aaf018b12c370; classtype:trojan-activity; sid:2020568; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET TROJAN Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1;) Parser failed - skipping rule \/main\.html$ uricontent:"/main.html"; |---------------------| Building Rule: 2020570 -------- Hex Payload Start ---------- 20 2f 63 6f 6e 6e 65 63 74 6f 72 2e 68 74 6d 6c 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020577 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6f 6e 69 6f 6e 06 64 69 72 65 63 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020574 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6f 6e 69 6f 6e 05 67 6c 61 73 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020573 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020578 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 63 74 69 76 61 74 69 6f 6e 52 65 71 75 65 73 74 53 65 6e 64 69 6e 67 53 65 73 73 69 6f 6e 0d 0a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020579 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 30 3b 20 65 6e 2d 55 53 29 0d 0a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020580 -------- Hex Payload Start ---------- 58 2d 54 41 2d 43 6c 69 65 6e 74 56 65 72 3a 20 20 58 2d 54 41 2d 43 6c 69 65 6e 74 4f 53 3a 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020581 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 62 72 6b 37 74 64 61 33 32 77 74 6b 78 6a 70 61 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020582 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; content:"POST"; http_method; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; http_uri; fast_pattern:only; content:"set_general"; http_client_body; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:3;) Parser failed - skipping rule \/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$ Parser failed - skipping rule |---------------------| Building Rule: 2020585 -------- Hex Payload Start ---------- 65 82 a5 7c 90 90 90 90 90 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x84\x60 content:" 00000000`"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46"; flow:to_server,established; dsize:>11; content:"|84 60|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000`"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,019ab136fd79147b10ddb3e4162709db; classtype:trojan-activity; sid:2020586; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020588 -------- Hex Payload Start ---------- 57 41 52 4e 49 4e 47 21 20 59 6f 75 72 20 50 43 20 6d 61 79 20 6e 6f 74 20 62 65 20 70 72 6f 74 65 63 74 65 64 21 72 65 6d 6f 76 65 20 6d 61 6c 69 63 69 6f 75 73 20 6d 61 6c 77 61 72 65 20 61 6e 64 20 61 64 77 61 72 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020589 -------- Hex Payload Start ---------- 57 41 52 4e 49 4e 47 3a 20 59 6f 75 72 20 50 43 20 6d 61 79 20 68 61 76 65 20 61 20 73 65 72 69 6f 75 73 20 76 69 72 75 73 21 20 61 73 73 69 73 74 61 6e 63 65 20 72 65 6d 6f 76 69 6e 67 20 6d 61 6c 69 63 69 6f 75 73 20 76 69 72 75 73 65 73 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020591 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 08 fe 4a ac c6 d6 06 8d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020592 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 08 fe 4a ac c6 d6 06 8d --------- Hex Payload End ----------- |---------------------| Building Rule: 2020593 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 c5 91 b0 40 ed d9 90 e2 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020594 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 c5 91 b0 40 ed d9 90 e2 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020595 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 71 37 53 d7 19 3c 44 ac --------- Hex Payload End ----------- |---------------------| Building Rule: 2020596 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 71 37 53 d7 19 3c 44 ac --------- Hex Payload End ----------- |---------------------| Building Rule: 2020597 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ff be d1 79 e8 64 54 d1 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020598 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ff be d1 79 e8 64 54 d1 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020599 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 4e 63 0d 03 30 d6 a5 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020600 Parser failed - skipping rule \/web_[0-9A-F]{12}\.jpg$ uricontent:"/web_000000000000.jpg"; |---------------------| Building Rule: 2020601 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020602 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/fwupgrade.ccp"; http_uri; fast_pattern:only; content:"|0d 0a|fwupgrade"; http_client_body; content:"|0d 0a|resolv.conf"; nocase; http_client_body; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020605 -------- Hex Payload Start ---------- 65 76 61 6c 28 66 75 6e 63 74 69 6f 6e 28 70 2c 61 2c 63 20 7c 61 74 6f 62 7c 20 7c 69 66 72 61 6d 65 7c --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x79\x9f content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47"; flow:to_server,established; dsize:>11; content:"|79 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5ad0bb62806297fb8bf159d94f82dbb9; classtype:trojan-activity; sid:2020606; rev:4;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\xda\x41 content:" 00000000A"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48"; flow:to_server,established; dsize:>11; content:"|da 41|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000A"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,69ffa441a8c3cf4d8fe643174bebb51d; classtype:trojan-activity; sid:2020607; rev:3;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\xdd content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49"; flow:to_server,established; dsize:>11; content:"|79 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2e99b9462f95154e9f5b94eeed33a6e3; classtype:trojan-activity; sid:2020608; rev:4;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7b\x9d content:" 00000000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50"; flow:to_server,established; dsize:>11; content:"|7b 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000{"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1701f8c71b5861a2f2890dc609ef6eda; classtype:trojan-activity; sid:2020609; rev:4;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7a\x9c content:" 00000000z"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51"; flow:to_server,established; dsize:>11; content:"|7a 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000z"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4b70f302c72c94d0b9214808d9f72419; classtype:trojan-activity; sid:2020610; rev:3;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7f\x9d content:" 00000000"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52"; flow:to_server,established; dsize:>11; content:"|7f 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,61c03cdd39f0618d1643af15594da3e4; classtype:trojan-activity; sid:2020611; rev:3;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x70\x9c content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53"; flow:to_server,established; dsize:>11; content:"|70 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5a0e030383c472f7d94c0bcd6af71a90; classtype:trojan-activity; sid:2020612; rev:3;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x70\x9e content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54"; flow:to_server,established; dsize:>11; content:"|70 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4d6e0de81f57461337ccfbcce6dc1056; classtype:trojan-activity; sid:2020613; rev:3;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x39\xdd content:" 000000009"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55"; flow:to_server,established; dsize:>11; content:"|39 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 000000009"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f42a5b709bf9a1377d2464f936fc841; classtype:trojan-activity; sid:2020614; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020615 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 33 76 36 65 32 6f 65 35 79 35 72 75 69 6d 70 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020616 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 68 36 33 72 62 78 37 67 6b 64 33 67 79 67 61 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020617 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 63 6f 6e 6e 65 63 74 32 74 6f 72 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020618 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 74 6f 72 73 74 6f 72 6d 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020619 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 62 6f 6c 69 73 74 61 74 61 70 61 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020620 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 73 73 68 6f 77 6d 65 74 68 65 6d 6f 6e 65 79 03 63 6f 6d 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Bayrob Keepalive"; flow:established,to_server; content:"GET"; http_method; urilen:9; content:"/isup.php"; http_uri; fast_pattern:only; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_raw_header; content:!"Referer|3a|"; http_header; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:3;) Parser failed - skipping rule \.zip$ uricontent:".zip"; |---------------------| Building Rule: 2020622 -------- Hex Payload Start ---------- 47 45 54 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020623 -------- Hex Payload Start ---------- 65 76 61 6c 28 66 75 6e 63 74 69 6f 6e 28 70 2c 61 2c 63 20 7c 46 69 6e 64 50 72 6f 78 79 46 6f 72 55 52 4c 7c 20 7c 70 72 6f 78 79 7c 20 7c 63 72 65 64 69 63 61 72 64 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2020624 Protocol Not Supported |---------------------| Building Rule: 2020625 Protocol Not Supported ^\/tdstest\/[a-f0-9]{32,}\/?$ uricontent:"/tdstest/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2020626 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020627 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4e 53 49 53 5f 49 6e 65 74 63 20 28 4d 6f 7a 69 6c 6c 61 29 0d 0a 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern:only; content:"&appid="; http_uri; content:"&proto="; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|WinWrapper|0d 0a|"; http_header; content:"{|22|appId|22 3a 22|"; http_client_body; content:"|22|uuId|22 3a 22|"; http_client_body; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020628; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020629 -------- Hex Payload Start ---------- 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 57 72 61 70 70 65 72 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2020638 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2020639 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 6f 70 74 69 6f 6e 73 74 6f 70 61 79 74 6f 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020640 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 11 63 68 65 65 74 6f 73 6e 6f 74 62 75 72 69 74 6f 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020641 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6f 70 74 69 6f 6e 73 6b 65 74 63 68 75 70 61 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020642 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 73 6f 6c 75 74 69 6f 6e 73 61 63 63 6f 75 6e 74 6f 72 03 63 6f 6d 00 --------- Hex Payload End ----------- \.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$ uricontent:".php?id=00000000000000000000000000000000000000000000&rnd=000"; |---------------------| Building Rule: 2020643 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- \.php\?rnd=[0-9]{3,7}&id=[0-9A-F]{44,54}$ uricontent:".php?rnd=000&id=00000000000000000000000000000000000000000000"; |---------------------| Building Rule: 2020644 -------- Hex Payload Start ---------- 20 --------- Hex Payload End ----------- ^\/(?:[^\x2f]+\/)?rp\?[a-z]= NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/rp?a="; |---------------------| Building Rule: 2020645 -------- Hex Payload Start ---------- 20 20 20 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020647 Protocol Not Supported |---------------------| Building Rule: 2020648 -------- Hex Payload Start ---------- 50 4f 53 54 20 2f 73 65 61 72 63 68 73 63 72 69 70 74 5f 66 69 65 6c 64 73 2e 63 6c 61 73 73 2e 66 6f 72 4e 61 6d 65 6a 61 76 61 2e 6c 61 6e 67 2e 52 75 6e 74 69 6d 65 --------- Hex Payload End ----------- \.zip$ uricontent:".zip"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoWall download from e-mail link March 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".zip"; http_uri; fast_pattern:only; content:".html"; http_header; uricontent:".zip"; content:"Referer|3a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[a-z0-9]{6}\/[a-z0-9]{5}\.html\r?$/Hm"; classtype:trojan-activity; sid:2020649; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020653 -------- Hex Payload Start ---------- 50 4b 03 04 20 2f 61 64 64 6f 6e 2d 73 64 6b 2f 00 00 72 65 73 6f 75 72 63 65 73 2f 6e 75 6d 62 65 72 63 68 61 6e 67 65 72 66 69 72 65 66 6f 78 2f 50 4b --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020657 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 3c 3f 78 6d 6c 3c 3f 6d 73 6f 2d 61 70 70 6c 69 63 61 74 69 6f 6e 20 70 72 6f 67 69 64 3d 22 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 22 3f 3e 6d 61 63 72 6f 73 50 72 65 73 65 6e 74 3d 22 79 65 73 22 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:1;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2020670 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6a 75 66 35 70 6a 6b 34 73 6c 37 75 6f 6a 68 34 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -2; isdataat:!2,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:trojan-activity; sid:2020671; rev:3;) Parser failed - skipping rule ^\/[a-z]+\/[a-z]+\.exe$ uricontent:"/a/a.exe"; |---------------------| Building Rule: 2020683 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020684 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6d 6d 63 36 35 7a 34 78 73 67 62 63 62 61 7a 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2020685 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 34 65 6c 63 71 6d 69 73 36 32 34 73 65 65 6f 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020686 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 74 6f 72 34 66 72 65 65 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020687 Protocol Not Supported |---------------------| Building Rule: 2020688 Protocol Not Supported |---------------------| Building Rule: 2020689 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[\x20-\x7e]+?.{8}\x2e\x96 content:" 00000000."; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56"; flow:to_server,established; dsize:>11; content:"|2e 96|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000."; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fc4f20426ab1da2c705a4523d3baa0b; classtype:trojan-activity; sid:2020691; rev:1;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7b\x9f content:" 00000000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57"; flow:to_server,established; dsize:>11; content:"|7b 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000{"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,06be359c6e6396fe105e8b59ac5a992e; classtype:trojan-activity; sid:2020692; rev:1;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x31\xad content:" 000000001"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58"; flow:to_server,established; dsize:>11; content:"|31 ad|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 000000001"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,20a72c5af06e054ff840915b6632965f; classtype:trojan-activity; sid:2020693; rev:1;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x44\xdf content:" 00000000D"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59"; flow:to_server,established; dsize:>11; content:"|44 df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000D"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6a263de8d3f6d82e73330c84a83057bf; classtype:trojan-activity; sid:2020694; rev:1;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x70\x94 content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fbca8d9f71265f44513e4f885587301; classtype:trojan-activity; sid:2020695; rev:1;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x3f\xa6 content:" 00000000?"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61"; flow:to_server,established; dsize:>11; content:"|3f a6|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; content:" 00000000?"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0045ce5ce7d697ecc86f1e44398bf404; classtype:trojan-activity; sid:2020696; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2020697 Protocol Not Supported ^\/a[a-z]{9,}\/[a-f0-9]{40}$ uricontent:"/aaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; uricontent:"/aaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:trojan-activity; sid:2020698; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020699 -------- Hex Payload Start ---------- 0d 0a 0d 0a 7b 5c 72 74 --------- Hex Payload End ----------- ^\s*?[\x22\x27][^\x22\x27]+\.php\?id=\d+[\x22\x27] content:""#.php?id=0""; |---------------------| Building Rule: 2020700 -------- Hex Payload Start ---------- 49 4e 43 4c 55 44 45 50 49 43 54 55 52 45 20 20 22 00 2e 70 68 70 3f 69 64 3d 30 22 --------- Hex Payload End ----------- ^\/(?:[^\x2f]+\/)*log\/\?[bc]= NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/log/?b="; |---------------------| Building Rule: 2020701 -------- Hex Payload Start ---------- 47 45 54 20 74 20 3a 20 20 20 20 20 20 --------- Hex Payload End ----------- type both, count 1, seconds 60, track by_src |---------------------| Building Rule: 2020702 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 69 74 74 6f 72 72 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020703 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 74 6f 72 64 6f 6d 61 69 6e 03 6f 72 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020704 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 77 65 6c 63 6f 6d 65 32 74 6f 72 03 6f 72 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020705 -------- Hex Payload Start ---------- 20 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 0d 0a 48 6f 73 74 3a --------- Hex Payload End ----------- \.php\?id=\d+$ uricontent:".php?id=0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Content-T"; http_header; content:!"Referer|3a|"; http_header; uricontent:".php?id=0"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,693ca229558aab99e0a9d3385cacc40c; classtype:trojan-activity; sid:2020706; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern:only; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020710 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 57 41 52 4e 49 4e 47 20 2d 20 53 45 43 55 52 49 54 59 20 41 4c 45 52 54 3c 2f 74 69 74 6c 65 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020711 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b 2a|.tr553.com"; distance:1; within:12; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:trojan-activity; sid:2020712; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020713 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 63 61 63 68 65 05 64 6e 73 64 65 03 63 6f 6d 00 --------- Hex Payload End ----------- \/\??4c2H(?:$|[&?]utm_source=) uricontent:"/4c2H"; |---------------------| Building Rule: 2020715 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020716 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 69 70 69 6e 66 6f 2e 69 6f 0d 0a 20 3a --------- Hex Payload End ----------- \/state[^\x2f]*\.php\?[A-Za-z0-9+/]*={0,2}$ uricontent:"/state.php?"; |---------------------| Building Rule: 2020717 -------- Hex Payload Start ---------- 47 45 54 20 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020718 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a --------- Hex Payload End ----------- ^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:"a=".replace(/[AAAAAAAAAA]/g,'').substr(0,0);a=".replace(/[AAAAAAAAAA]/g,'').substr"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; within:8; content:"a=".replace(/[AAAAAAAAAA]/g,'').substr(0,0);a=".replace(/[AAAAAAAAAA]/g,'').substr"; content:"]/g,|27 27|).substr|28|"; fast_pattern:only; classtype:trojan-activity; sid:2020719; rev:2;) Parser failed - skipping rule ^\/index\.php\?[A-Za-z0-9_-]{15}=l3S uricontent:"/index.php?AAAAAAAAAAAAAAA=l3S"; |---------------------| Building Rule: 2020720 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3a --------- Hex Payload End ----------- ^\/index\.php\?[A-Za-z0-9_-]{15}=l3S uricontent:"/index.php?AAAAAAAAAAAAAAA=l3S"; |---------------------| Building Rule: 2020721 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 3f 20 3d 6c 33 53 --------- Hex Payload End ----------- ^\/\?[A-Za-z0-9_-]{15}=l3S uricontent:"/?AAAAAAAAAAAAAAA=l3S"; |---------------------| Building Rule: 2020722 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FindPOS Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"oprat="; http_client_body; fast_pattern:only; content:"&uid="; http_client_body; content:"&uinfo="; http_client_body; content:"&win="; http_client_body; content:"&vers="; http_client_body; reference:md5,fe0f997d81d88bc11cc03e4d1fd61ebe; classtype:trojan-activity; sid:2020723; rev:3;) Parser failed - skipping rule ^\W content:""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing March 20 2015"; flow:established,from_server; content:"function iu7("; content:"ji2"; within:100; content:""; content:"hu2"; pcre:"/^\W/R"; classtype:trojan-activity; sid:2020725; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyLogger related to FindPOS CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"uid="; depth:4; http_client_body; content:"&win="; distance:0; http_client_body; content:"&vers="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,593af622a90f2038e35ee980e09c1c3c; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:2020724; rev:2;) Parser failed - skipping rule ^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28 NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref NOT IMPL not _simple(av) in REPEATING CODES content:"#*/aaa(#);/*#*/("; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing March 20 2015 M2"; flow:established,from_server; content:"|22 29 3b 2f 2a|"; content:"#*/aaa(#);/*#*/("; classtype:trojan-activity; sid:2020726; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020727 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 33 62 6a 70 77 73 66 33 66 6a 63 77 74 6e 77 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020728 Protocol Not Supported |---------------------| Building Rule: 2020729 -------- Hex Payload Start ---------- 20 20 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 70 61 63 68 65 2d 48 74 74 70 43 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020730 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 c5 91 b0 40 ed d9 90 e2 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020734 Error here depth! -------- Hex Payload Start ---------- 2e 20 74 20 3a 20 2d 20 20 20 20 20 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020735 Protocol Not Supported |---------------------| Building Rule: 2020736 Protocol Not Supported |---------------------| Building Rule: 2020737 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020738 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020739 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6c 37 67 62 6d 6c 32 37 63 7a 6b 33 6b 76 72 35 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020740 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 69 65 7a 71 6d 64 34 73 32 66 66 6c 6d 68 37 6e --------- Hex Payload End ----------- ^[a-z0-9]{50} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1;) Parser failed - skipping rule ^[a-z0-9]{50} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; Unsupported keyword! Error parsing rule contents alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1;) Parser failed - skipping rule ^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\] NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:"".replace(/[AAAAAAAAAA]"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; content:"document.createElement|28|"; content:"".replace(/[AAAAAAAAAA]"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:trojan-activity; sid:2020743; rev:4;) Parser failed - skipping rule ^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\] NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL Groupref content:"".replace(/[AAAAAAAAAA]"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; content:"document.createElement|28|"; content:"".replace(/[AAAAAAAAAA]"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:trojan-activity; sid:2020744; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2020745 Protocol Not Supported ^\/[a-z]{2}(?:-[a-z]{2})?\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/aa/"; |---------------------| Building Rule: 2020746 -------- Hex Payload Start ---------- 47 45 54 20 3a 20 20 20 3d 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 20 --------- Hex Payload End ----------- ^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/a/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Requesting ClickFraud Commands from CnC"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"="; distance:0; http_uri; content:"Host|3a|"; depth:5; http_header; uricontent:"/a/"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?$/Hmi"; content:" like Gecko|29| Chrome/"; http_header; fast_pattern; flowbits:set,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020747; rev:7;) Parser failed - skipping rule ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title NOT IMPL not _simple(av) in REPEATING CODES content:"</title"; |---------------------| Building Rule: 2020748 -------- Hex Payload Start ---------- 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 3d 20 3c 74 69 74 6c 65 3e 20 3c 2f 74 69 74 6c 65 --------- Hex Payload End ----------- ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$ NOT IMPL not _simple(av) in REPEATING CODES content:"</title></html>"; |---------------------| Building Rule: 2020749 -------- Hex Payload Start ---------- 0d 0a 0d 0a 3c 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 20 3c 2f 74 69 74 6c 65 3e 3c 2f 68 74 6d 6c 3e 20 3c 2f 74 69 74 6c 65 3e 3c 2f 68 74 6d 6c 3e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; content:"POST"; http_method; content:"Jm9zX3ZlbmRvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; content:"POST"; http_method; content:"Zvc192ZW5kb3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; content:"POST"; http_method; content:"mb3NfdmVuZG9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:2;) Parser failed - skipping rule ^\s*?\(\s*?[\x22\x27]chrome\x3a\/\/ content:"("chrome://"; |---------------------| Building Rule: 2020756 -------- Hex Payload Start ---------- 63 68 72 6f 6d 65 3a 2f 2f 20 6f 70 65 6e 20 28 22 63 68 72 6f 6d 65 3a 2f 2f 20 6d 65 73 73 61 67 65 4d 61 6e 61 67 65 72 2e 6c 6f 61 64 46 72 61 6d 65 53 63 72 69 70 74 20 50 72 6f 78 79 2e 63 72 65 61 74 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020755 -------- Hex Payload Start ---------- 76 61 72 20 6f 73 5f 6e 61 6d 65 3b 20 76 61 72 20 6f 73 5f 76 65 6e 64 6f 72 3b 20 76 61 72 20 6f 73 5f 64 65 76 69 63 65 3b 20 76 61 72 20 6f 73 5f 66 6c 61 76 6f 72 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2020757 -------- Hex Payload Start ---------- 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 6a 70 65 67 0d 0a 0d 0a 4d 5a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020758 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4b 41 49 49 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020759 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6f 74 73 61 61 33 35 67 78 62 63 77 76 72 71 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020760 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 34 62 70 74 68 78 35 7a 34 65 37 6e 36 67 6e 62 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020761 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 62 63 33 79 77 76 69 66 34 6d 33 6c 6e 77 34 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2020762 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6c 6c 67 65 72 77 34 70 6c 79 79 66 66 34 34 36 --------- Hex Payload End ----------- ^[\x20-\x7e]+?.{8}\x7b\x98 content:" 00000000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62"; flow:to_server,established; dsize:>11; content:"|7b 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000{"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,bcb626c7cca304f927ec97450008e600; classtype:trojan-activity; sid:2020763; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x71\x95 content:" 00000000q"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63"; flow:to_server,established; dsize:>11; content:"|71 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000q"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,00d4c1faeacaf45cfb02c592efe61a1d; classtype:trojan-activity; sid:2020764; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x9c content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2a6c1f4e14533d9f2af8d9e4fcf53338; classtype:trojan-activity; sid:2020765; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x40\xa3 content:" 00000000@"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65"; flow:to_server,established; dsize:>11; content:"|40 a3|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000@"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a2ae5eada44872675561a97ea56c0df; classtype:trojan-activity; sid:2020766; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7c\x9c content:" 00000000|"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ec6b10b55732f68a174bb5b751bff840; classtype:trojan-activity; sid:2020767; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7d\x9a content:" 00000000}"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67"; flow:to_server,established; dsize:>11; content:"|7d 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000}"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,142b8df89b9ae5019c1f1855d2212e9f; classtype:trojan-activity; sid:2020768; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7b\x95 content:" 00000000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68"; flow:to_server,established; dsize:>11; content:"|7b 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000{"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8026990bea6f95613f6111b9a5506941; classtype:trojan-activity; sid:2020769; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7a\x9f content:" 00000000z"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:to_server,established; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000z"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:trojan-activity; sid:2020770; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x9b content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,d9d1fd5025f47caaaa276d747657e01b; classtype:trojan-activity; sid:2020771; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x9a content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71"; flow:to_server,established; dsize:>11; content:"|79 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8b69118f7c25f79c4c7de5b0830dda39; classtype:trojan-activity; sid:2020772; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x78\x9a content:" 00000000x"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72"; flow:to_server,established; dsize:>11; content:"|78 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000x"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1bb5562b08bae781086095c439fc9e8b; classtype:trojan-activity; sid:2020773; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x9c content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9c44da3c6326deb5b802b1494b202a1d; classtype:trojan-activity; sid:2020774; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x70\x9b content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,178f7f122f1de5c759a6538d78d67277; classtype:trojan-activity; sid:2020775; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x9b content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9a3309620c23d821ea4e2f41538454a7; classtype:trojan-activity; sid:2020776; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x3b\xdf content:" 00000000;"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76"; flow:to_server,established; dsize:>11; content:"|3b df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000;"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1e3f91c46410d5205c7b6f6b53a45cff; classtype:trojan-activity; sid:2020777; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x70\x98 content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77"; flow:to_server,established; dsize:>11; content:"|70 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,010c49cb69591e1738b7bdd78a54d8f8; classtype:trojan-activity; sid:2020778; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x3b\xd8 content:" 00000000;"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78"; flow:to_server,established; dsize:>11; content:"|3b d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000;"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,844ddc8d762f94e8cf04bbc6eb483121; classtype:trojan-activity; sid:2020779; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7d\x9f content:" 00000000}"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:to_server,established; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000}"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:trojan-activity; sid:2020780; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x31\xd9 content:" 000000001"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 000000001"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,132c66e47afb0c1b969140713b09d625; classtype:trojan-activity; sid:2020781; rev:4;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7e\x9c content:" 00000000~"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81"; flow:to_server,established; dsize:>11; content:"|7e 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000~"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,733d252921fa9b74b268c1e451d2e0c8; classtype:trojan-activity; sid:2020782; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x40\xd8 content:" 00000000@"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82"; flow:to_server,established; dsize:>11; content:"|40 d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000@"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2978e52da3503e33c65cd286a322bd2; classtype:trojan-activity; sid:2020783; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x47\xd9 content:" 00000000G"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83"; flow:to_server,established; dsize:>11; content:"|47 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000G"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4bd54550a23cb5bf40e0924dea7bad76; classtype:trojan-activity; sid:2020784; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x4a\xd5 content:" 00000000J"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84"; flow:to_server,established; dsize:>11; content:"|4a d5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000J"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,096fd620508d929b3422c6dca836e718; classtype:trojan-activity; sid:2020785; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7f\x9f content:" 00000000"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85"; flow:to_server,established; dsize:>11; content:"|7f 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6bc0070240a714175e44dd2d6bf98481; classtype:trojan-activity; sid:2020786; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x70\x9a content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86"; flow:to_server,established; dsize:>11; content:"|70 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4af85987c9aca11196eb1a603b40b18d; classtype:trojan-activity; sid:2020787; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7a\x9a content:" 00000000z"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000z"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,32652a6c74e5358549a7c536c3080d58; classtype:trojan-activity; sid:2020788; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7c\x9e content:" 00000000|"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88"; flow:to_server,established; dsize:>11; content:"|7c 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,e3ac512a1978cec5eb8bc12fbb384e1f; classtype:trojan-activity; sid:2020789; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x30\xa5 content:" 000000000"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89"; flow:to_server,established; dsize:>11; content:"|30 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 000000000"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3fb6b63928996a2fab06ba634710740b; classtype:trojan-activity; sid:2020790; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x31\xd9 content:" 000000001"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 000000001"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:trojan-activity; sid:2020791; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x70\x9b content:" 00000000p"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000p"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3d10b1c4471c7d29e968d9059f844aab; classtype:trojan-activity; sid:2020792; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7f\x94 content:" 00000000"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92"; flow:to_server,established; dsize:>11; content:"|7f 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1dabf462f9c07878f6cd0b58cabf6538; classtype:trojan-activity; sid:2020793; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7d\x94 content:" 00000000}"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000}"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,29ac81a0607f6456bc886f6099fdb5c8; classtype:trojan-activity; sid:2020794; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7b\x9b content:" 00000000{"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94"; flow:to_server,established; dsize:>11; content:"|7b 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000{"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,7403a3a7c924a50cb205c5936cb57821; classtype:trojan-activity; sid:2020795; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x71\x9d content:" 00000000q"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95"; flow:to_server,established; dsize:>11; content:"|71 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000q"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,599fc172ebcd9f41557ba1293522f424; classtype:trojan-activity; sid:2020796; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x49\xa2 content:" 00000000I"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96"; flow:to_server,established; dsize:>11; content:"|49 a2|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000I"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0928c98b9702e3c8df4e44f31bea56ac; classtype:trojan-activity; sid:2020797; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x7d\x98 content:" 00000000}"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97"; flow:to_server,established; dsize:>11; content:"|7d 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000}"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0c014b17729784f905f55e43347469ed; classtype:trojan-activity; sid:2020798; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x79\x94 content:" 00000000y"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98"; flow:to_server,established; dsize:>11; content:"|79 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000y"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,79dd610cc7a62ad237d21c050eae32ec; classtype:trojan-activity; sid:2020799; rev:2;) Parser failed - skipping rule ^[\x20-\x7e]+?.{8}\x39\x99 content:" 000000009"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99"; flow:to_server,established; dsize:>11; content:"|39 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:" 000000009"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2499b8a890b084b9d4eb76d2bfaeff56; classtype:trojan-activity; sid:2020800; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020801 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2020802 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GoogleFile - Creds Phished"; flow:established,to_server; content:"g2-choseyouremailprovider="; http_client_body; content:"g2-password="; http_client_body; classtype:bad-unknown; sid:2020803; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020804 -------- Hex Payload Start ---------- 2e 72 76 69 65 77 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020805 Protocol Not Supported |---------------------| Building Rule: 2020806 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 73 74 65 72 5a 41 4c 41 4c 55 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020807 -------- Hex Payload Start ---------- 3d 3d 67 4b 67 35 58 49 2b 42 6d 4b --------- Hex Payload End ----------- ^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$ content:"<*` `*>"; |---------------------| Building Rule: 2020808 -------- Hex Payload Start ---------- 3c 2a 60 60 2a 3e 20 3c 2a 60 20 60 2a 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020809 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 3e 45 78 70 6c 6f 73 69 76 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020810 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020811 Parser failed - skipping rule |---------------------| Building Rule: 2020812 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020813 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020814 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 73 61 76 65 77 65 62 04 77 69 6e 6b 02 77 73 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020815 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 63 61 72 69 6d 61 32 30 31 32 06 73 69 74 65 39 30 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020816 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 65 78 70 6c 6f 72 65 72 64 6f 74 6e 74 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020817 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 64 6f 74 6e 65 74 65 78 70 6c 6f 72 65 72 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020818 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 64 6f 74 6e 74 65 78 70 6c 6f 72 65 72 65 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020819 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 78 70 6c 6f 72 65 72 65 64 6f 74 6e 65 74 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020820 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 65 72 64 6f 74 6e 74 65 78 70 6c 6f 72 65 04 69 6e 66 6f 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020821 -------- Hex Payload Start ---------- 47 45 54 20 5f 5e 5b 8b e5 5d 20 2e 20 2e 20 3a 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 0d 0a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 39 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 30 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020822 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e --------- Hex Payload End ----------- \/content\/dl\.php\?sl=vbs[a-z0-9]{32}$ uricontent:"/content/dl.php?sl=vbsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2020823 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- \/content\/getvbslink\.php\?d=[a-z0-9]{32}$ uricontent:"/content/getvbslink.php?d=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2020824 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n] content:"#"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex POST Retrieving Second Stage M2"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; content:"|0d 0a 0d 0a|"; distance:0; byte_extract:1,4,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; content:"#"; content:"Host|3a 20|"; http_header; pcre:"/^(?=[a-z0-9]{0,19}[A-Z])(?:(?=[A-Z0-9]{0,19}[a-z])|(?=[A-Za-z]{0,19}\d)|(?=[A-Z]+\.))[a-zA-Z0-9]{3,20}[\x2e\x20][a-z]{2,3}\r?$/RHm"; reference:md5,148112df459ba40b9127f7d4f1c08df2; classtype:trojan-activity; sid:2020825; rev:5;) Parser failed - skipping rule \/[a-z0-9]+\/[a-z0-9]+\.exe$ uricontent:"/a/a.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"Mozilla/"; http_header; content:!"Referer|3A 20|"; http_header; content:!"Accept"; http_header; content:!"MstarUpdate"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; uricontent:"/a/a.exe"; pcre:"/^User-Agent\x3A\x20[a-z\x20]{2,30}\r\nHost\x3A[^\r\n]+\r\n(?:\r\n)?$/Hmi"; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"spShopId="; http_client_body; content:"&spShopPaymentId="; fast_pattern; http_client_body; distance:0; content:"&spCurrency="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020827; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"action=showPaymentForm&"; fast_pattern:3,20; http_client_body; content:"psAgreement="; http_client_body; distance:0; content:"&paymentSystemId="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020828; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"locker_ver="; fast_pattern; http_client_body; content:"&i_firstboot="; http_client_body; distance:0; content:"&harddiskserial="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020829; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - Bravica"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a 20|www.bravica.net|0d 0a|"; http_header; content:"name="; http_client_body; content:"&cmd="; http_client_body; distance:0; classtype:policy-violation; sid:2020830; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020831 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 69 70 2d 77 68 6f 69 73 2e 6e 65 74 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:trojan-activity; sid:2020832; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020833 Error here depth! -------- Hex Payload Start ---------- 2e 20 52 65 66 65 72 65 72 3a 20 48 54 54 50 2f 31 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020835 -------- Hex Payload Start ---------- 47 45 54 20 2e 20 74 20 3a 20 --------- Hex Payload End ----------- ^[a-z0-9]+\[\d+\] content:"a[0]"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; content:"a[0]"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020836; rev:1;) Parser failed - skipping rule \.[^\x3F]+\?id=\d+&act=\d+$ uricontent:".#?id=0&act=0"; |---------------------| Building Rule: 2020837 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ETPRO.MalDocEXEPrimer; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020839 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 36 33 67 68 64 79 65 31 37 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020840 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- ^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22 NOT IMPL not _simple(av) in REPEATING CODES content:"(" ","QQ""; |---------------------| Building Rule: 2020841 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 20 65 76 61 6c 3b 20 72 65 70 6c 61 63 65 20 28 22 20 22 2c 22 51 51 22 --------- Hex Payload End ----------- ^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22 NOT IMPL not _simple(av) in REPEATING CODES content:"(" ","QQ""; |---------------------| Building Rule: 2020842 -------- Hex Payload Start ---------- 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 20 72 65 74 75 72 6e 20 65 76 61 6c 20 72 65 70 6c 61 63 65 20 28 22 20 22 2c 22 51 51 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020843 Protocol Not Supported |---------------------| Building Rule: 2020844 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 37 68 77 72 33 34 6e 31 38 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020845 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020846 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 05 6a 61 6d 63 6f 03 63 6f 6d 02 70 6b 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020847 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2020848 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2020849 -------- Hex Payload Start ---------- 00 00 00 00 00 00 00 00 00 00 00 32 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020850 -------- Hex Payload Start ---------- 00 00 00 00 00 00 00 00 00 00 00 86 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020851 -------- Hex Payload Start ---------- 00 00 00 00 00 00 00 00 00 00 00 84 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020852 -------- Hex Payload Start ---------- 53 79 5c 77 69 6e 69 6e 69 74 5c 20 77 69 6e 6c 6f 67 6f 6e 5c --------- Hex Payload End ----------- type limit, track by_src, count 1, seconds 60 |---------------------| Building Rule: 2020853 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 40 04 00 63 00 69 00 73 00 63 00 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2020854 -------- Hex Payload Start ---------- 69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b --------- Hex Payload End ----------- [\/=][a-z0-9]{8,}$ uricontent:"/aaaaaaaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall Check-in M2"; flow:established,to_server; urilen:<110; content:!"|0d 0a|Accept-"; nocase; http_header; uricontent:"/aaaaaaaa"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" rv|3a|11.0"; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020855; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020856 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:22; content:"/cgi-bin/setup_dns.exe"; http_uri; content:"getpage=|2e 2e|/html/setup/dns.htm"; http_client_body; depth:29; fast_pattern:9,20; content:"resolver|3a|settings/nameserver1="; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:10; content:"/apply.cgi"; content:"submit_button=index"; http_client_body; depth:19; fast_pattern; content:"&action=Apply"; http_client_body; distance:0; nocase; content:"&lan_dns0="; http_client_body; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:26; content:"/apply.cgi?/BAS_update.htm"; http_uri; content:"submit_flag=ether"; http_client_body; depth:17; fast_pattern; content:"&ether_dnsaddr1="; http_client_body; distance:0; nocase; content:"&Apply=Apply"; http_client_body; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:3;) Parser failed - skipping rule \/im(?:age|g)\.php\?id=\d+$ uricontent:"/im.php?id=0"; |---------------------| Building Rule: 2020860 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a 20 4d 53 4f 66 66 69 63 65 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2020861 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020862 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020863 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020864 Protocol Not Supported ^\s*?\<\s*?10 content:"<10"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; content:"<10"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:trojan-activity; sid:2020865; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020866 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/cgi-bin/webcm"; http_uri; fast_pattern:only; content:"getpage="; http_client_body; depth:10; content:"errorpage="; http_client_body; distance:0; content:"/html/index.html&login|3a|command"; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi-bin/webcm?"; http_uri; fast_pattern; content:"getpage="; http_uri; distance:0; content:"|2e 2e|/html/menus/menu2.html"; http_raw_uri; content:"&var|3a|lang="; http_uri; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020882 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 65 70 6d 68 79 63 61 35 6f 6c 36 70 6c 6d 78 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020869 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 77 68 34 37 66 32 61 73 31 39 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020871 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020872 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020873 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020874 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020875 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020876 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020877 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020878 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020879 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020880 -------- Hex Payload Start ---------- 47 45 54 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020881 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 53 65 6e 64 6f 72 69 2d 43 6c 69 65 6e 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020883 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 65 6e 2d 55 53 3b 20 72 76 3a 78 2e 78 78 29 20 47 65 63 6b 6f 2f 32 30 30 33 30 35 30 34 20 4d 6f 7a 69 6c 6c 61 20 46 69 72 65 62 69 72 64 2f 30 2e 36 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020884 -------- Hex Payload Start ---------- 0d 0a 50 43 3a 20 0d 0a 54 65 78 74 3a 20 0d 0a 49 50 3a 20 0d 0a 54 53 3a 20 --------- Hex Payload End ----------- \.rar$ uricontent:".rar"; |---------------------| Building Rule: 2020885 -------- Hex Payload Start ---------- 47 45 54 20 20 3a 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 65 6e 2d 75 73 3b 20 72 76 3a 31 2e 39 2e 32 2e 33 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 34 30 31 20 59 46 46 33 35 20 46 69 72 65 66 6f 78 2f 33 2e 36 2e 33 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kriptovor External IP Lookup checkip.dyndns.org"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a 20|checkip.dyndns.org|0d 0a|"; depth:26; http_header; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US|3b| rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; http_header; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,00e3b69b18bfad7980c1621256ee10fa; classtype:trojan-activity; sid:2020886; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020887 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020888 Protocol Not Supported |---------------------| Building Rule: 2020889 Error here within! -------- Hex Payload Start ---------- 00 01 00 01 20 20 20 20 00 04 2e f4 15 04 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020892 -------- Hex Payload Start ---------- 47 45 54 20 20 3a 20 48 6f 73 74 3a 20 70 61 73 74 65 62 69 6e 2e 63 6f 6d 0d 0a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 57 69 6e 33 32 3b 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 2e 35 29 0d 0a --------- Hex Payload End ----------- ^[a-f0-9]{500} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2020893 -------- Hex Payload Start ---------- 76 62 73 63 72 69 70 74 20 22 34 44 35 41 39 30 20 2e 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^[a-f0-9]{500} content:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2020894 -------- Hex Payload Start ---------- 76 62 73 63 72 69 70 74 20 27 34 44 35 41 39 30 20 2e 20 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 --------- Hex Payload End ----------- ^\/(?:\??[a-f0-9]{32,64}\/?)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern:only; uricontent:"/"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:trojan-activity; sid:2020895; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2020896 -------- Hex Payload Start ---------- 22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22 --------- Hex Payload End ----------- \.(?:txt|gif|exe|bmp)$ uricontent:"."; |---------------------| Building Rule: 2020897 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 33 32 29 0d 0a 48 4f 53 54 3a 20 3a 20 74 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework POST"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"|20 28|compatible|3b| MSIE 6.0|3b| Win32|29 0d 0a|HOST|3a|"; http_header; fast_pattern:12,20; content:"|0d 0a 0d 0a|"; byte_jump:4,1,relative,little,post_offset -6; isdataat:!2,relative; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:trojan-activity; sid:2020898; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Emotet v2 Exfiltrating Outlook information"; flow:established,to_server; content:"POST"; http_method; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"<Information>"; http_client_body; fast_pattern; content:"<id>"; distance:0; http_client_body; content:"<Version>"; distance:0; http_client_body; content:"<profile>"; distance:0; http_client_body; reference:url,securelist.com/analysis/69560/the-banking-trojan-emotet-detailed-analysis/; classtype:trojan-activity; sid:2020900; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020901 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 65 61 2f --------- Hex Payload End ----------- \.txt$ uricontent:".txt"; |---------------------| Building Rule: 2020902 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 75 73 0d 0a 48 6f 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \/redirect\.php\?loc=mail$ uricontent:"/redirect.php?loc=mail"; |---------------------| Building Rule: 2020906 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault CnC Beacon M1"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"hwid="; depth:5; http_client_body; content:"&knock="; distance:0; http_client_body; content:"&keylog="; http_client_body; fast_pattern:only; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020907; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault CnC Beacon M2"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"eyJib3RpbmZvIjp7InVwbG9hZElkIjo"; http_client_body; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020908; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020909 -------- Hex Payload Start ---------- 0d 0a 0d 0a 65 79 4a 72 62 6d 39 6a 61 33 52 70 62 57 55 69 4f 6a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020910 -------- Hex Payload Start ---------- 47 45 54 20 20 3a 20 4d 53 49 45 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020911 -------- Hex Payload Start ---------- 0d 0a 0d 0a 50 41 42 30 41 47 55 41 65 41 42 30 41 44 45 41 4d 41 41 2b 41 43 51 41 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020914 -------- Hex Payload Start ---------- 50 61 63 6b 65 64 20 62 79 20 65 78 65 33 32 70 61 63 6b 53 74 65 65 6c 42 79 74 65 73 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020915 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 33 33 70 35 6d 71 6b 61 6a 32 32 69 72 76 34 7a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; content:"302"; http_stat_code; content:"Found"; http_stat_msg; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; content:"301"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020918 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020919 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020920 -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 2e 20 74 20 3a --------- Hex Payload End ----------- &(?:uid|name|file)=[a-f0-9]+$ uricontent:"&=a"; |---------------------| Building Rule: 2020921 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sysget/HelloBridge HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?fn="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|file|22|"; http_client_body; content:"name=|22|path|22|"; distance:0; http_client_body; content:"name=|22|submit|22|"; distance:0; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020922; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020923 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020924 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 3a 20 2e 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020925 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 2e 20 3a 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2020927 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 50 61 73 73 3a 20 48 6f 73 74 6e 61 6d 65 3a 20 49 70 3a 20 4f 73 3a 20 50 72 6f 78 79 3a 20 56 6d 3a --------- Hex Payload End ----------- \?HostID=([A-F0-9]{2}(?:-|<>)){5}[A-F0-9]{2}$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"?HostID=AA"; |---------------------| Building Rule: 2020928 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020929 -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 fc 6e 8e d1 0a 7a be 86 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020930 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 35 8c 0c 43 e2 1c f7 e4 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020931 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 fc 6e 8e d1 0a 7a be 86 --------- Hex Payload End ----------- |---------------------| Building Rule: 2020932 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dalexis CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a| multipart/form-data|3b| boundary="; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Accept"; nocase; http_header; content:"name=|22|uploaded|22 3b 20|filename=|22|"; http_client_body; fast_pattern:only; content:".jpg"; http_client_body; classtype:trojan-activity; sid:2020933; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2020934 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 20 46 69 72 65 66 6f 78 2f 34 2e 30 0d 0a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \/$ uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:"/"; offset:1; http_uri; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"unkey="; depth:6; http_client_body; fast_pattern; content:!"&"; distance:0; http_client_body; uricontent:"/"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020938; rev:2;) Parser failed - skipping rule \/\?bit=(?:32|64)&version=\d{4}-\d{1,2}-\d{1,2}$ uricontent:"/?bit=&version=0000-0-0"; |---------------------| Building Rule: 2020939 -------- Hex Payload Start ---------- 47 45 54 20 20 20 74 20 3a --------- Hex Payload End ----------- \/\?check$ uricontent:"/?check"; |---------------------| Building Rule: 2020940 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 45 78 61 6d 70 6c 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2020942 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 74 6b 6a 33 68 69 67 74 71 6c 76 6f 68 73 37 7a --------- Hex Payload End ----------- ^\/\d+\/\d+\.exe$ uricontent:"/0/0.exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; uricontent:"/0/0.exe"; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/Hmi"; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2020943 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/StreamFlaw.A Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/6.0 (compatible|3b 20|MSIE 6.0"; http_header; fast_pattern:25,20; content:!"Referer|3a|"; http_header; reference:md5,981672cd969fe8cb1f887d0526b1ecf2; classtype:trojan-activity; sid:2020947; rev:2;) Parser failed - skipping rule &format=json$ uricontent:"&format=json"; |---------------------| Building Rule: 2020948 -------- Hex Payload Start ---------- 47 45 54 20 20 20 2e 20 3a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Neutrino Bot Fake 404 Checkin Response"; flow:to_client,established; content:"404"; http_stat_code; content:"\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script> NOT IMPL Groupref content:"aaaaaa--><scripttype="text/javascript"src="http://aaaaaaaa.php?id=0"></script>"; |---------------------| Building Rule: 2021394 -------- Hex Payload Start ---------- 3e 3c 2f 73 63 72 69 70 74 3e 3c 21 2d 2d 2f 20 3c 21 2d 2d 20 61 61 61 61 61 61 2d 2d 3e 3c 73 63 72 69 70 74 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 73 72 63 3d 22 68 74 74 70 3a 2f 2f 61 61 61 61 61 61 61 61 2e 70 68 70 3f 69 64 3d 30 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 21 2d 2d 2f 2d 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021395 -------- Hex Payload Start ---------- 48 54 54 50 5c 31 2e 31 20 53 79 63 6d 65 6e 74 65 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021396 -------- Hex Payload Start ---------- 48 54 54 50 5c 31 2e 31 20 53 79 63 6d 65 6e 74 65 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021397 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021400 -------- Hex Payload Start ---------- 6f 70 65 6e 4f 66 66 65 72 73 44 69 61 6c 6f 67 28 29 3b 64 72 6f 70 62 6f 78 6d 61 69 6e 63 6f 6e 74 65 6e 74 56 65 72 69 66 69 63 61 74 69 6f 6e 20 52 65 71 75 69 72 65 64 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021401 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 55 70 64 61 74 65 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021403 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 46 69 72 65 66 6f 78 2f 31 35 2e 30 2e 31 0d 0a --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/upload.php"; http_uri; content:"conteudo="; fast_pattern; depth:9; http_client_body; content:"&myFile="; http_client_body; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:trojan-activity; sid:2021404; rev:2;) Parser failed - skipping rule ^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22 NOT IMPL Groupref NOT IMPL Groupref content:"#=getBits();0flashvars=\"="++"\""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern:only; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; content:"#=getBits();0flashvars=\"="++"\""; classtype:trojan-activity; sid:2021405; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2021406 -------- Hex Payload Start ---------- 47 45 54 20 20 69 70 2d 61 70 69 2e 63 6f 6d --------- Hex Payload End ----------- ^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp uricontent:"/A-A-A-A-A.asp"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; content:!"/"; offset:1; http_uri; content:".asp"; http_uri; uricontent:"/A-A-A-A-A.asp"; pcre:"/[a-z].*?[a-z]/U"; pcre:"/[A-Z].*?[A-Z]/U"; pcre:"/\d.*?\d/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/Hm"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2021407; rev:4;) Parser failed - skipping rule \?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b uricontent:"?write_&;"; |---------------------| Building Rule: 2021408 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- type both,track by_src,count 10,seconds 120 |---------------------| Building Rule: 2021409 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 67 67 67 61 74 61 74 34 35 36 03 63 6f 6d --------- Hex Payload End ----------- type both,track by_src,count 10,seconds 120 |---------------------| Building Rule: 2021410 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 78 78 78 61 74 61 74 34 35 36 03 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021411 Protocol Not Supported |---------------------| Building Rule: 2021412 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0b 74 69 6e 64 75 6f 6e 67 70 68 6f 03 63 6f 6d 00 --------- Hex Payload End ----------- \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SeaDuke CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; fast_pattern:only; content:"Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; depth:33; http_header; content:!"Accept-L"; http_header; content:!"Accept|3a|"; http_header; uricontent:".php"; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/C"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:trojan-activity; sid:2021413; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021414 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2021415 Protocol Not Supported ^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0329a\x02de\x00 Parser failed - skipping rule |---------------------| Building Rule: 2021417 Protocol Not Supported \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bedep HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:!"?"; http_uri; content:!"&"; http_uri; content:!"Content-Type|3a|"; http_header; content:"Accept|3a 20|text/html, application/xhtml+xml, */*|0d 0a|"; http_header; uricontent:".php"; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/P"; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+\.php\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; classtype:trojan-activity; sid:2021418; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2021419 Protocol Not Supported |---------------------| Building Rule: 2021420 Protocol Not Supported |---------------------| Building Rule: 2021421 Protocol Not Supported |---------------------| Building Rule: 2021422 Protocol Not Supported |---------------------| Building Rule: 2021423 Protocol Not Supported |---------------------| Building Rule: 2021424 Protocol Not Supported |---------------------| Building Rule: 2021425 Protocol Not Supported |---------------------| Building Rule: 2021426 Protocol Not Supported |---------------------| Building Rule: 2021429 -------- Hex Payload Start ---------- 72 65 73 3a 20 6c 6f 61 64 58 4d 4c 20 70 61 72 73 65 45 72 72 6f 72 20 65 72 72 6f 72 43 6f 64 65 20 2d 32 31 34 37 30 32 33 30 38 33 20 2e 64 6c 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2021430 -------- Hex Payload Start ---------- 72 65 73 3a 20 6c 6f 61 64 58 4d 4c 20 70 61 72 73 65 45 72 72 6f 72 20 65 72 72 6f 72 43 6f 64 65 20 2d 32 31 34 37 30 32 33 30 38 33 20 2e 73 79 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021431 -------- Hex Payload Start ---------- 44 30 43 46 31 31 45 30 41 31 42 31 31 41 45 31 66 66 66 66 66 66 66 66 66 66 37 34 33 30 33 30 37 34 --------- Hex Payload End ----------- ^[A-Z]{2}[01] content:"AA0"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M1 (L O)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; content:"AA0"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:2;) Parser failed - skipping rule ^[A-Z]{2}[01] content:"AA0"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M2 (L CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; content:"AA0"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:2;) Parser failed - skipping rule ^[A-Z]{2}[01] content:"AA0"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M3 (O CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; content:"AA0"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:2;) Parser failed - skipping rule [&?]fare= uricontent:"&fare="; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; uricontent:"&fare="; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:trojan-activity; sid:2021435; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2021436 Protocol Not Supported |---------------------| Building Rule: 2021437 -------- Hex Payload Start ---------- 20 20 20 75 1c 11 10 75 01 14 07 12 58 5f --------- Hex Payload End ----------- |---------------------| Building Rule: 2021438 -------- Hex Payload Start ---------- 47 45 54 20 20 64 70 6f 6f 6c 2e 73 69 6e 61 2e 63 6f 6d 2e 63 6e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"ID_MAQUINA="; depth:11; nocase; http_client_body; fast_pattern; content:"&VERSAO="; distance:0; nocase; http_client_body; content:"&WIN="; distance:0; nocase; http_client_body; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:trojan-activity; sid:2021439; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported ^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.jpg\x22\x0d\x0a content:"#a0.jpg" "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported type both,track by_src,count 10,seconds 120 |---------------------| Building Rule: 2021443 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 02 76 38 05 66 31 31 32 32 03 6f 72 67 --------- Hex Payload End ----------- type both,track by_src,count 10,seconds 120 |---------------------| Building Rule: 2021444 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 47 72 6f 55 6e 64 48 6f 67 08 4d 61 70 53 6e 6f 64 65 03 43 6f 4d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021445 Protocol Not Supported |---------------------| Building Rule: 2021446 Protocol Not Supported |---------------------| Building Rule: 2021447 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021448 -------- Hex Payload Start ---------- 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6a 73 20 6a 73 20 73 65 73 73 69 6f 6e 73 74 6f 72 61 67 65 22 67 65 74 55 52 4c 50 61 72 61 6d 65 74 65 72 54 6f 6c 6c 20 46 72 65 65 6d 79 46 75 6e 63 74 69 6f 6e 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021449 -------- Hex Payload Start ---------- 6d 79 46 75 6e 63 74 69 6f 6e 28 29 73 65 74 49 6e 74 65 72 76 61 6c 61 6c 65 72 74 67 70 2d 6d 73 67 2e 6d 70 33 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021500 -------- Hex Payload Start ---------- 75 73 5f 77 69 6e 2e 6d 70 33 79 6f 75 72 4f 53 28 29 6d 79 46 75 6e 63 74 69 6f 6e 28 29 6f 6e 6c 6f 61 64 5f 66 75 6e 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported \x00\x05value$ content:"##value"; |---------------------| Building Rule: 2021503 -------- Hex Payload Start ---------- 73 72 00 05 76 61 6c 75 65 20 00 05 76 61 6c 75 65 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021504 -------- Hex Payload Start ---------- 20 00 0d 67 69 76 65 43 6c 69 65 6e 74 4d 61 63 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021505 -------- Hex Payload Start ---------- 20 00 07 6e 6f 74 68 69 6e 67 --------- Hex Payload End ----------- \.[a-z]{3,4}\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:".aaa/?A="; |---------------------| Building Rule: 2021506 -------- Hex Payload Start ---------- 50 4f 53 54 20 48 6f 73 74 3a 20 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a 20 3a 20 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 20 --------- Hex Payload End ----------- ^\/[a-f0-9]{32}\/e\.html$ uricontent:"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/e.html"; |---------------------| Building Rule: 2021507 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021509 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 eb bd 89 f5 c0 3b 7a 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021510 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 eb bd 89 f5 c0 3b 7a 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021511 -------- Hex Payload Start ---------- 65 76 61 6c 28 66 75 6e 63 74 69 6f 6e 28 70 2c 61 2c 63 20 7c 46 69 6e 64 50 72 6f 78 79 46 6f 72 55 52 4c 7c 20 7c 70 72 6f 78 79 7c 20 7c 62 61 69 64 75 7c --------- Hex Payload End ----------- |---------------------| Building Rule: 2021512 Protocol Not Supported |---------------------| Building Rule: 2021513 Protocol Not Supported |---------------------| Building Rule: 2021514 Protocol Not Supported |---------------------| Building Rule: 2021515 Protocol Not Supported |---------------------| Building Rule: 2021516 Protocol Not Supported |---------------------| Building Rule: 2021517 Protocol Not Supported |---------------------| Building Rule: 2021518 Protocol Not Supported |---------------------| Building Rule: 2021519 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021521 Protocol Not Supported |---------------------| Building Rule: 2021522 -------- Hex Payload Start ---------- 6e 61 76 69 67 61 74 6f 72 2e 73 61 79 73 77 68 6f 61 6c 65 72 74 66 6f 72 53 65 63 75 69 74 79 46 69 72 65 66 6f 78 43 68 72 6f 6d 65 4e 65 74 73 63 61 70 65 --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021525 Protocol Not Supported ^\d+ content:"0"; |---------------------| Building Rule: 2021526 Error here within! -------- Hex Payload Start ---------- 2a 20 30 20 4d 48 5a 00 00 00 00 4d 42 00 00 00 00 28 6e 75 6c 6c 29 00 00 00 00 --------- Hex Payload End ----------- \/config[^\x2e\x2f]*?\.jpg$ uricontent:"/config.jpg"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/config"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; uricontent:"/config.jpg"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021529 Protocol Not Supported |---------------------| Building Rule: 2021530 Protocol Not Supported |---------------------| Building Rule: 2021531 -------- Hex Payload Start ---------- 20 57 69 6e 48 74 74 70 2e 57 69 6e 48 74 74 70 52 65 71 75 65 73 74 --------- Hex Payload End ----------- ^s?\x3a\x2f+[^\r\n\s]+\.exe content:":/#.exe"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload M2"; flow:established,from_server; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern:only; content:"200"; http_stat_code; content:"|0d 0a 0d 0a|http"; content:":/#.exe"; classtype:trojan-activity; sid:2021532; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021533 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 6d 79 69 70 2e 6b 7a 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021534 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 68 6c 76 75 6d 76 76 63 6c 78 79 32 6e 77 37 6a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021535 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 53 68 61 72 65 64 3c 2f 74 69 74 6c 65 3e 6e 61 6d 65 3d 22 47 45 4e 45 52 41 54 4f 52 22 22 3e 6e 61 6d 65 3d 22 48 4f 53 54 49 4e 47 22 22 3e 4c 6f 67 69 6e 20 77 69 74 68 20 79 6f 75 72 20 65 6d 61 69 6c 43 68 6f 6f 73 65 20 79 6f 75 72 20 65 6d 61 69 6c 20 70 72 6f 76 69 64 65 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021536 -------- Hex Payload Start ---------- 69 6e 76 6f 69 63 65 74 6f 70 74 61 62 6c 65 73 69 6e 76 6f 69 63 65 63 6f 6e 74 65 6e 74 64 69 73 70 6c 61 79 54 65 78 74 67 6d 61 69 6c 64 69 73 70 6c 61 79 54 65 78 74 68 6f 74 6d 61 69 6c 64 69 73 70 6c 61 79 54 65 78 74 61 6f 6c --------- Hex Payload End ----------- |---------------------| Building Rule: 2021537 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 56 61 6c 69 64 61 74 65 46 6f 72 6d 4f 74 68 65 72 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021538 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 56 61 6c 69 64 61 74 65 46 6f 72 6d 48 6f 74 6d 61 69 6c 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021539 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 56 61 6c 69 64 61 74 65 46 6f 72 6d 47 6d 61 69 6c 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021540 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 56 61 6c 69 64 61 74 65 46 6f 72 6d 59 61 68 6f 6f 28 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021541 Protocol Not Supported ^\s*?[$_]+w[$_]+i[$_]+=window\x3b content:"$w$i$=window;"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; content:"_=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; content:"$w$i$=window;"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021542; rev:3;) Parser failed - skipping rule ^\s*?[$_]+w[$_]+i[$_]+=window\x3b content:"$w$i$=window;"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; content:"$=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; content:"$w$i$=window;"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021543; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021544 -------- Hex Payload Start ---------- 5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 5d 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2021545 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 64 65 63 72 79 70 74 6f 72 61 76 65 69 64 66 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021546 Protocol Not Supported |---------------------| Building Rule: 2021547 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 65 6e 63 72 79 70 74 6f 72 33 61 77 6b 36 70 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021548 -------- Hex Payload Start ---------- 20 4d 61 63 69 6e 74 6f 73 68 3b 20 48 6f 73 74 3a 20 6d 61 63 6b 65 65 70 65 72 20 6c 64 72 42 72 6f 77 73 65 72 3d 25 32 32 53 61 66 61 72 69 25 32 32 3b 20 6c 64 72 4f 73 3d 25 32 32 4d 61 63 2b 4f 53 2b 58 25 32 32 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2021549 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 76 61 63 64 67 77 61 77 35 64 6a 70 35 68 6d 75 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021550 -------- Hex Payload Start ---------- 47 45 54 20 20 74 72 61 63 6b 69 70 2e 6e 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021551 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 64 65 73 37 73 69 77 35 76 66 6b 7a 6e 6a 68 69 --------- Hex Payload End ----------- \/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$ Parser failed - skipping rule |---------------------| Building Rule: 2021553 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Potao CnC"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|application/xml"; content:"<?xml version=|22|1.0|22|?>"; depth:21; http_client_body; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; http_client_body; fast_pattern; classtype:trojan-activity; sid:2021554; rev:2;) Parser failed - skipping rule ^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a NOT IMPL not _simple(av) in REPEATING CODES content:" "; |---------------------| Building Rule: Protocol Not Supported _W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$ uricontent:"_W0.A/0/#/0.0.0.0/"; |---------------------| Building Rule: 2021556 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021557 -------- Hex Payload Start ---------- 47 45 54 20 20 4a 61 76 61 2f 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021558 -------- Hex Payload Start ---------- 47 45 54 20 20 4a 61 76 61 2f 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021560 -------- Hex Payload Start ---------- 50 4f 53 54 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021561 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 36 31 33 63 62 36 6f 77 69 74 63 6f 75 65 70 76 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021563 Protocol Not Supported |---------------------| Building Rule: 2021564 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 73 74 61 6c 6c 65 72 28 72 65 66 3d 5b 3b 77 69 6e 64 6f 77 73 3d 3b 75 61 63 3d 3b 65 6c 65 76 61 74 65 64 3d 3b 64 6f 74 6e 65 74 3d 3b 73 74 61 72 74 54 69 6d 65 3d 3b 70 69 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021565 Protocol Not Supported |---------------------| Building Rule: 2021566 Protocol Not Supported |---------------------| Building Rule: 2021567 Protocol Not Supported |---------------------| Building Rule: 2021568 Protocol Not Supported |---------------------| Building Rule: 2021569 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 2e 20 3a --------- Hex Payload End ----------- \.jpg\?vid=\d+$ uricontent:".jpg?vid=0"; |---------------------| Building Rule: 2021570 -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021571 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 3a --------- Hex Payload End ----------- ^.{4}[^\x00]+\x00 content:"0000##"; Unsupported keyword! Error parsing rule contents alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; content:"0000##"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3;) Parser failed - skipping rule ^[^\x00]+\x00 content:"##"; Unsupported keyword! Error parsing rule contents alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; content:"##"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4;) Parser failed - skipping rule ^.{4}[^\x00]+\x00 content:"0000##"; Unsupported keyword! Error parsing rule contents alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; content:"0000##"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3;) Parser failed - skipping rule ^[^\x00]+\x00 content:"##"; Unsupported keyword! Error parsing rule contents alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; content:"##"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2021576 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 64 72 6f 6d 65 74 69 63 06 73 75 72 6f 6f 74 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021577 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 64 6f 63 75 6d 65 09 73 79 73 62 6c 6f 67 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021578 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 04 6f 68 69 6f 09 73 79 73 62 6c 6f 67 65 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021579 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 73 70 65 63 73 05 64 6e 73 72 64 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021580 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 6e 70 33 04 4a 6b 75 62 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021581 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 6e 73 38 05 64 64 6e 73 31 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021582 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 62 6f 6f 6b 73 06 6d 72 66 61 63 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021583 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 6b 69 65 74 69 07 69 70 73 65 63 73 6c 03 6e 65 74 00 --------- Hex Payload End ----------- \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT Lurker POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"HOST|3a|"; depth:5; http_header; content:"User-Agent|3a|"; distance:0; http_header; uricontent:".php"; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/Hmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021584; rev:4;) Parser failed - skipping rule ^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$ NOT IMPL not _simple(av) in REPEATING CODES content:"# User-Agent:# "; |---------------------| Building Rule: Protocol Not Supported ^[A-Z]{2}[01] content:"AA0"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; content:"AA0"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:3;) Parser failed - skipping rule ^\s*?\r?\n\s*?<body>\s*?\r?\n\s*?<script>\s*\r?\n\s*?var\s*?[a-z]+\s*?\=\s*?\d{4,7}\x3b\s*?\r?\n\s*?var\s*?[a-z]+\s*?\=\s*?\d{4,7}\x3b\s*?\r?\n\s*?var\s*?[a-z]+\s*?\=\s*?\d{4,7}\x3b\s*?\r?\n content:" <body> <script> vara=0000; vara=0000; vara=0000; "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021588 -------- Hex Payload Start ---------- 6e 67 69 6e 78 20 0d 0a 0d 0a 43 57 53 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021589 -------- Hex Payload Start ---------- 6e 67 69 6e 78 20 0d 0a 0d 0a 5a 57 53 --------- Hex Payload End ----------- ^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$ uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Job314/Neutrino Flash Exploit M1 Aug 02 2015 (IE)"; flow:to_server,established; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:!".swf"; http_uri; nocase; content:!".flv"; http_uri; nocase; uricontent:"/"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)\x3a\d+\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2021590; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2021591 Protocol Not Supported |---------------------| Building Rule: 2021592 Protocol Not Supported |---------------------| Building Rule: 2021593 Protocol Not Supported |---------------------| Building Rule: 2021594 Protocol Not Supported ^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27] Parser failed - skipping rule |---------------------| Building Rule: 2021596 Protocol Not Supported \.php$ uricontent:".php"; |---------------------| Building Rule: 2021597 Error here depth! -------- Hex Payload Start ---------- 50 4f 53 54 20 20 41 63 63 65 70 74 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021598 Protocol Not Supported |---------------------| Building Rule: 2021599 Protocol Not Supported |---------------------| Building Rule: 2021600 -------- Hex Payload Start ---------- 48 6f 73 74 3a 20 77 77 77 2e 69 70 2e 63 6e 0d 0a --------- Hex Payload End ----------- \We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W content:"eval!"; |---------------------| Building Rule: 2021601 -------- Hex Payload Start ---------- 76 69 65 77 2d 73 6f 75 72 63 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73 20 73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74 20 72 65 74 75 72 6e 20 20 21 65 76 61 6c 21 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021602 Protocol Not Supported |---------------------| Building Rule: 2021603 Protocol Not Supported |---------------------| Building Rule: 2021604 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.VBKrypt.vquj Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|0d 0a|Content-Encoding|3a| binary|0d 0a|"; fast_pattern; http_header; content:"|03 00|"; http_client_body; depth:2; content:"|00 01 00|"; http_client_body; within:4; content:"|00 01 00|"; http_client_body; within:4; reference:md5,0c420e1eef4b1f097ffec8d0c0ff438a; classtype:trojan-activity; sid:2021605; rev:4;) Parser failed - skipping rule ^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}\.exe$)(?=[a-f\d\x2f]{0,40}[g-z])[a-z0-9]{2,20}\/[a-z0-9]{2,20}\.exe$ Parser failed - skipping rule |---------------------| Building Rule: 2021608 -------- Hex Payload Start ---------- 20 20 3a 20 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 --------- Hex Payload End ----------- ^[a-z]\x29 content:"a)"; |---------------------| Building Rule: 2021609 -------- Hex Payload Start ---------- 65 76 61 6c 28 20 61 29 50 72 6f 62 6c 65 6d 73 20 69 6e 20 6c 6f 61 64 69 6e 67 20 69 6e 74 65 72 6e 65 74 20 65 78 70 6c 6f 72 65 72 54 72 79 20 61 67 61 69 6e 20 61 66 74 65 72 20 75 70 64 61 74 65 20 79 6f 75 72 20 73 79 73 74 65 6d 73 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021610 -------- Hex Payload Start ---------- 47 45 54 20 20 20 3a --------- Hex Payload End ----------- ^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D)) Parser failed - skipping rule ^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D)) Parser failed - skipping rule |---------------------| Building Rule: 2021606 -------- Hex Payload Start ---------- 77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b 20 64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021615 Protocol Not Supported Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n content:"Cookie: SESSIONID=AAAAAAAAAAAAAAAA "; |---------------------| Building Rule: Protocol Not Supported ^\/gac\/[a-f0-9]{15}$ uricontent:"/gac/aaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2021617 -------- Hex Payload Start ---------- 47 45 54 20 20 20 41 6e 64 72 6f 69 64 20 20 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 0d 0a 20 2e --------- Hex Payload End ----------- ^\/\?pcrc=\d+&v=[\d.]+$ uricontent:"/?pcrc=0&v=0"; |---------------------| Building Rule: 2021618 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021619 -------- Hex Payload Start ---------- 20 2e 20 3a --------- Hex Payload End ----------- \/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$ Parser failed - skipping rule ^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd) Parser failed - skipping rule |---------------------| Building Rule: 2021622 Protocol Not Supported |---------------------| Building Rule: 2021623 Protocol Not Supported |---------------------| Building Rule: 2021624 Protocol Not Supported \/(?:[a-z]+|\d+)\.jpg uricontent:"/.jpg"; |---------------------| Building Rule: 2021625 -------- Hex Payload Start ---------- 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 46 53 4c 20 37 2e 30 2e 36 2e 30 31 30 30 31 29 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported Cookie\x3a mstshash=[a-zA-Z]\r\n content:"Cookie: mstshash=a "; |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021633 Protocol Not Supported |---------------------| Building Rule: 2021634 Protocol Not Supported |---------------------| Building Rule: 2021635 Protocol Not Supported |---------------------| Building Rule: 2021636 Protocol Not Supported ^\s*?=\s*?[\x22\x27]vb[\x22\x27] content:"="vb""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; content:"="vb""; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2021637; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021638 -------- Hex Payload Start ---------- 53 63 72 69 70 74 45 6e 67 69 6e 65 4d 61 6a 6f 72 56 65 72 73 69 6f 6e 20 53 63 72 69 70 74 45 6e 67 69 6e 65 4d 69 6e 6f 72 56 65 72 73 69 6f 6e 20 53 63 72 69 70 74 45 6e 67 69 6e 65 42 75 69 6c 64 56 65 72 73 69 6f 6e 20 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30 --------- Hex Payload End ----------- \/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})?$ NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/0A/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.html&a=#&a=000.000.000"; |---------------------| Building Rule: 2021639 -------- Hex Payload Start ---------- 47 45 54 20 20 --------- Hex Payload End ----------- \/\d\/?[A-Z]+\/[a-f0-9]{40}\/$ uricontent:"/0A/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/"; |---------------------| Building Rule: 2021640 -------- Hex Payload Start ---------- 47 45 54 20 52 65 66 65 72 65 72 3a 3a 34 34 33 2f --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021642 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 20 0b 6d 65 73 73 61 67 65 77 69 6c 64 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021643 Error here depth! -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 3a 20 2e --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021645 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 15 68 6f 6c 69 64 61 79 61 70 61 72 74 6d 65 6e 74 73 34 79 6f 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021646 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 65 75 72 6f 2d 72 61 66 74 69 6e 67 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021647 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 17 68 6f 6c 69 64 61 79 61 70 61 72 74 6d 65 6e 74 73 2d 50 61 72 69 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021648 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 17 70 61 72 69 73 2d 68 6f 6c 69 64 61 79 61 70 61 72 74 6d 65 6e 74 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021649 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 17 66 72 61 6e 63 65 68 6f 6c 69 64 61 79 61 70 61 72 74 6d 65 6e 74 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021650 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 61 70 61 72 74 6d 65 6e 74 73 69 6e 2d 70 61 72 69 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021651 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 72 61 66 74 69 6e 67 68 6f 6c 69 64 61 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021652 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 65 75 72 6f 72 61 66 74 69 6e 67 2d 74 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021653 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 14 74 75 72 6b 65 79 65 78 74 72 65 6d 65 72 61 66 74 69 6e 67 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021654 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 72 61 66 74 69 6e 67 74 6f 75 72 73 2d 74 75 72 6b 65 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021655 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 64 69 76 65 78 74 72 65 6d 65 2d 61 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021656 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 63 72 61 7a 79 2d 6a 75 6d 70 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021657 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 64 69 76 65 2d 65 78 74 72 65 6d 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021658 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 74 61 6e 64 65 6d 73 6b 79 64 69 76 65 2d 61 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021659 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 67 72 6f 75 70 64 69 76 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021660 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 73 6b 79 64 69 76 65 6c 65 73 73 6f 6e 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021661 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 62 75 6e 67 65 65 34 79 6f 75 2d 62 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021662 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 62 72 61 7a 69 6c 2d 63 72 61 7a 79 62 75 6e 67 65 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021663 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 62 75 6e 67 65 65 6a 75 6d 70 69 6e 67 2d 62 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021664 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 67 72 6f 75 70 62 75 6e 67 65 65 2d 62 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021665 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 64 69 76 65 78 74 72 65 6d 65 2d 61 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021666 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 63 72 61 7a 79 6a 75 6d 70 2d 75 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021667 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 73 74 75 6e 74 6a 75 6d 70 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021668 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 74 61 6e 64 65 6d 73 6b 79 64 69 76 65 2d 61 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021669 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 67 72 6f 75 70 64 69 76 65 2d 61 75 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021670 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 11 61 75 2d 73 6b 79 64 69 76 65 6c 65 73 73 6f 6e 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021671 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 62 75 6e 67 65 65 34 79 6f 75 2d 75 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021672 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 13 75 72 75 67 75 61 79 2d 63 72 61 7a 79 62 75 6e 67 65 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021673 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 62 75 6e 67 65 65 6a 75 6d 70 69 6e 67 2d 75 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021674 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0e 67 72 6f 75 70 62 75 6e 67 65 65 2d 75 79 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021675 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 14 63 69 72 63 6c 65 73 6f 66 6f 75 72 6c 69 76 65 73 2d 69 72 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021676 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0f 63 6c 69 63 6b 66 6c 6f 77 65 72 73 2d 68 6b 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021677 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 63 72 6f 70 63 69 72 63 6c 65 73 74 6f 75 72 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021678 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 11 69 72 65 6c 61 6e 63 72 6f 70 63 69 72 63 6c 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021679 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 07 69 72 2d 63 6f 6f 6c 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021680 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 12 6d 61 67 6e 69 66 69 63 65 6e 74 63 69 72 63 6c 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021681 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 63 68 69 6e 61 2d 66 6c 6f 77 65 72 73 68 6f 70 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021682 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 11 68 6f 6e 67 6b 6f 6e 67 2d 62 6f 75 71 75 65 74 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021683 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 62 65 61 75 74 69 66 75 6c 64 61 69 73 69 65 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021684 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 72 6f 73 65 73 69 6e 63 68 69 6e 61 03 63 6f 6d 00 --------- Hex Payload End ----------- \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BandarChor Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"number="; depth:7; http_client_body; content:"&id="; distance:0; http_client_body; content:"&pc="; distance:0; http_client_body; content:"&tail="; http_client_body; fast_pattern:only; content:!"Referer|3a|"; http_header; uricontent:".php"; reference:md5,fba4af888ae0e838dd083d4cfebc8f39; reference:md5,d32b6c067e64c141b0c239d23ab1ffd1; reference:url,f-secure.com/weblog/archives/00002795.html; classtype:trojan-activity; sid:2021685; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2021686 Protocol Not Supported |---------------------| Building Rule: 2021687 Protocol Not Supported |---------------------| Building Rule: 2021688 Protocol Not Supported \/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+(?:&data=[^&]*?)?$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/im?id=0"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; uricontent:"/im?id=0"; content:"office"; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\x0d\x0a]+?ms-?office/Hmi"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|s-p-o-o-f-e-d|07|h-o-s-t|04|name"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:1;) Parser failed - skipping rule \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic - Credit Card"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"&ccnumber="; http_client_body; fast_pattern; content:"&expmonth="; distance:0; http_client_body; content:"&expyear="; distance:0; http_client_body; content:"&cvv="; distance:0; http_client_body; content:"&ccpin="; distance:0; http_client_body; uricontent:".php"; classtype:trojan-activity; sid:2021692; rev:2;) Parser failed - skipping rule \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic - Three Security Questions"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"&q1="; http_client_body; content:"&answer1="; distance:0; http_client_body; fast_pattern; content:"&q2="; http_client_body; distance:0; content:"&answer2="; distance:0; http_client_body; content:"&q3="; distance:0; http_client_body; content:"&answer3="; distance:0; http_client_body; uricontent:".php"; classtype:trojan-activity; sid:2021693; rev:2;) Parser failed - skipping rule ^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$ uricontent:"/"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; uricontent:"/"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; classtype:trojan-activity; sid:2021694; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2021695 Protocol Not Supported |---------------------| Building Rule: 2021696 -------- Hex Payload Start ---------- 27 61 64 27 2b 27 64 45 76 27 2b 27 65 6e 74 4c 69 73 74 65 27 2b 27 6e 65 72 27 20 27 61 74 74 27 2b 27 61 63 68 45 76 65 27 2b 27 6e 74 27 20 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 --------- Hex Payload End ----------- \.exe$ uricontent:".exe"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; uricontent:".exe"; pcre:"/\/wp-(?:content|admin|includes)\//U"; classtype:trojan-activity; sid:2021697; rev:2;) Parser failed - skipping rule ^\/\?[a-f0-9]{32,64}$ uricontent:"/?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2021698 -------- Hex Payload Start ---------- 20 2e 70 77 0d 0a --------- Hex Payload End ----------- ^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27] content:"="a.xap""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Aug 21 2015"; flow:established,from_server; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; content:"="a.xap""; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:trojan-activity; sid:2021699; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021700 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 42 6f 78 6f 72 65 43 6c 65 6e 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021701 -------- Hex Payload Start ---------- 7b 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021702 -------- Hex Payload Start ---------- 7b 22 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021703 Protocol Not Supported |---------------------| Building Rule: 2021704 Protocol Not Supported |---------------------| Building Rule: 2021705 Protocol Not Supported |---------------------| Building Rule: 2021706 Protocol Not Supported |---------------------| Building Rule: 2021707 -------- Hex Payload Start ---------- 22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22 20 22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22 --------- Hex Payload End ----------- \?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$ Parser failed - skipping rule ^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url content:">form{-ms-behavior:url"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; content:"<style"; nocase; content:">form{-ms-behavior:url"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern:only; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: 2021710 -------- Hex Payload Start ---------- 3c 21 2d 2d 20 73 61 76 65 64 20 66 72 6f 6d 20 75 72 6c 3d 28 30 30 31 34 29 61 62 6f 75 74 3a 69 6e 74 65 72 6e 65 74 20 2d 2d 3e 20 72 65 74 75 72 6e 20 6e 61 76 69 67 61 74 6f 72 2e 61 70 70 4e 61 6d 65 20 72 65 74 75 72 6e 20 6e 61 76 69 67 61 74 6f 72 2e 70 6c 61 74 66 6f 72 6d 3b 20 63 6c 73 69 64 3a 44 32 37 43 44 42 36 45 2d 41 45 36 44 2d 31 31 63 66 2d 39 36 42 38 2d 34 34 34 35 35 33 35 34 30 30 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021711 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 6b 62 36 33 76 68 6a 75 6b 33 77 68 34 65 78 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021713 -------- Hex Payload Start ---------- 3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021712 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 08 6d 73 75 70 64 61 74 65 03 61 74 68 02 63 78 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021714 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 6b 61 72 70 65 73 6b 6d 6f 6e 06 64 79 6e 64 6e 73 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021715 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 09 69 73 61 73 65 72 76 65 72 06 6d 69 6e 72 65 78 03 67 6f 76 02 63 75 00 --------- Hex Payload End ----------- ^[\x20-\x7e]{5,}.{8}\x78\x9c content:" 00000000x"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,little,post_offset -10; isdataat:!2,relative; content:" 00000000x"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2021716; rev:1;) Parser failed - skipping rule |---------------------| Building Rule: 2021717 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021719 -------- Hex Payload Start ---------- 50 4f 53 54 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 35 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 34 2e 30 29 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021720 Protocol Not Supported |---------------------| Building Rule: 2021721 Protocol Not Supported |---------------------| Building Rule: 2021722 Protocol Not Supported \/r\.php\?[A-F0-9]+=?$ uricontent:"/r.php?A"; |---------------------| Building Rule: 2021723 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021725 -------- Hex Payload Start ---------- 0d 0a 0d 0a 65 5d d1 c6 b0 88 68 62 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021724 -------- Hex Payload Start ---------- 0d 0a 0d 0a 2d 2d 2d 21 21 21 49 4e 53 45 52 54 45 44 21 21 21 2d 2d 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021726 -------- Hex Payload Start ---------- 01 00 08 47 4f 47 4f 47 4f 47 4f 20 01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c 20 01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021727 -------- Hex Payload Start ---------- 01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b 20 01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2021728 -------- Hex Payload Start ---------- 01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021729 -------- Hex Payload Start ---------- 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021730 -------- Hex Payload Start ---------- 47 45 54 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 72 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021731 Protocol Not Supported |---------------------| Building Rule: 2021732 Protocol Not Supported |---------------------| Building Rule: 2021733 Protocol Not Supported |---------------------| Building Rule: 2021734 Protocol Not Supported &game=[a-f0-9]{40}$ uricontent:"&game=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; |---------------------| Building Rule: 2021737 -------- Hex Payload Start ---------- 20 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern:only; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:2;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Corebot Checkin"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/6.0)"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"AQAAA"; fast_pattern; depth:5; http_client_body; reference:md5,0f6a9b15bd9fd719bb96491e16eb2f9c; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; classtype:trojan-activity; sid:2021739; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021740 -------- Hex Payload Start ---------- 3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b --------- Hex Payload End ----------- |---------------------| Building Rule: 2021741 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 72 76 3a 31 35 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 31 35 2e 30 2e 31 20 74 --------- Hex Payload End ----------- \.exx$ uricontent:".exx"; |---------------------| Building Rule: 2021742 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 72 76 3a 31 35 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 31 35 2e 30 2e 31 20 74 --------- Hex Payload End ----------- ^[A-Z]{2}[01] content:"AA0"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 2 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; content:"AA0"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021744 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021745 -------- Hex Payload Start ---------- 55 53 45 52 20 70 61 6e 7a 65 72 68 75 6e 64 32 30 31 35 0d 0a --------- Hex Payload End ----------- ^\d+\x3b content:"0;"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern:9,20; content:"0;"; content:"<style>."; pcre:"/^(?P<stylename>[a-z]+){position\x3aabsolute\x3btop\x3a-?\d{1,}px\x3b[^\r\n]+<\/style><div\s*?class=\s*?[\x22\x27](?P=stylename)[\x22\x27]><iframe/Ri"; classtype:trojan-activity; sid:2021746; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021747 -------- Hex Payload Start ---------- 47 45 54 20 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021748 -------- Hex Payload Start ---------- 7c 43 4d 30 31 7c 43 4d 30 32 7c 43 4d 30 33 7c 20 2e --------- Hex Payload End ----------- ^[a-zA-Z0-9]+[01] content:"a0"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; content:"a0"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:6;) Parser failed - skipping rule |---------------------| Building Rule: 2021750 Protocol Not Supported |---------------------| Building Rule: 2021751 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported ^[\x20-\x7e]+?.{8}\x78\x9c content:" 00000000x"; Unsupported keyword! Error parsing rule contents alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103"; flow:established,to_server; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,from_beginning,post_offset -1; isdataat:!2,relative; content:" 00000000x"; reference:md5,b0c2a5a3cfef4e759979b7d0869b7612; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:trojan-activity; sid:2021753; rev:2;) Parser failed - skipping rule \.dat$ uricontent:".dat"; |---------------------| Building Rule: 2021754 -------- Hex Payload Start ---------- 47 45 54 20 20 2e 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 72 76 3a 31 35 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 31 35 2e 30 2e 31 20 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021755 -------- Hex Payload Start ---------- 0d 0a 0d 0a 57 46 e8 67 27 3d 66 1a --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021757 -------- Hex Payload Start ---------- 0d 0a 0d 0a 00 00 00 18 66 74 79 70 6d 70 34 20 2f 73 79 73 74 65 6d 2f 62 69 6e 2f 73 68 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021758 Error here within! -------- Hex Payload Start ---------- 0d 0a 0d 0a 00 00 00 18 66 74 79 70 6d 70 34 20 98 2a 00 b0 b3 38 00 b0 20 20 20 20 00 10 00 00 07 00 00 00 03 d0 00 d0 04 d0 00 d0 44 11 00 b0 --------- Hex Payload End ----------- ^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1) NOT IMPL Groupref NOT IMPL Groupref content:"00000000"; |---------------------| Building Rule: 2021759 -------- Hex Payload Start ---------- 73 74 73 63 00 00 00 00 c0 00 00 03 20 00 20 30 30 30 30 30 30 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021760 -------- Hex Payload Start ---------- 3c 74 69 74 6c 65 3e 57 65 62 6d 61 69 6c 20 4c 6f 67 69 6e 3c 2f 74 69 74 6c 65 3e 46 6f 72 20 57 65 62 6d 61 69 6c 20 74 6f 20 66 75 6e 63 74 69 6f 6e 20 70 72 6f 70 65 72 6c 79 79 6f 75 20 6d 75 73 74 20 65 6e 61 62 6c 65 20 4a 61 76 61 53 63 72 69 70 74 59 6f 75 20 68 61 76 65 20 6c 6f 67 67 65 64 20 6f 75 74 50 6c 65 61 73 65 20 73 65 6c 65 63 74 20 61 20 6c 6f 63 61 6c 65 45 6d 61 69 6c 20 41 64 64 72 65 73 73 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021761 -------- Hex Payload Start ---------- 22 61 6a 61 78 5f 74 69 6d 65 6f 75 74 22 20 3a 20 22 41 75 74 68 65 6e 74 69 63 61 74 69 6e 67 20 e2 80 a6 22 2c 22 65 78 70 69 72 65 64 5f 73 65 73 73 69 6f 6e 22 20 3a 20 22 59 6f 75 72 22 70 72 65 76 65 6e 74 65 64 5f 78 66 65 72 22 20 3a 20 22 54 68 65 20 73 65 73 73 69 6f 6e 73 75 63 63 65 73 73 66 75 6c 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 e2 80 a6 22 2c 22 74 6f 6b 65 6e 5f 69 6e 63 6f 72 72 65 63 74 22 20 3a 20 22 54 68 65 20 73 65 63 75 72 69 74 79 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern:18,20; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021762; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021763 -------- Hex Payload Start ---------- 69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29 20 66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29 --------- Hex Payload End ----------- ^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$ Parser failed - skipping rule |---------------------| Building Rule: 2021765 -------- Hex Payload Start ---------- 6e 67 69 6e 78 20 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 20 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021767 Protocol Not Supported |---------------------| Building Rule: 2021769 Protocol Not Supported |---------------------| Building Rule: 2021770 Protocol Not Supported |---------------------| Building Rule: 2021771 Protocol Not Supported |---------------------| Building Rule: 2021772 Protocol Not Supported ^[A-Z]{2} content:"AA"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; content:"AA"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern:only; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:5;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PE EXE or DLL Windows file download Text"; flow:established,from_server; content:"4D5A"; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021776 Protocol Not Supported |---------------------| Building Rule: 2021777 Protocol Not Supported |---------------------| Building Rule: 2021778 -------- Hex Payload Start ---------- 0d 0a 0d 0a 23 31 f9 4f 62 57 73 67 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021779 Protocol Not Supported |---------------------| Building Rule: 2021780 Protocol Not Supported |---------------------| Building Rule: 2021781 Protocol Not Supported |---------------------| Building Rule: 2021782 Protocol Not Supported |---------------------| Building Rule: 2021783 Protocol Not Supported |---------------------| Building Rule: 2021784 Protocol Not Supported Unsupported keyword! Error parsing rule contents alert tcp any any -> $HOME_NET 80 (msg:"ET TROJAN SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!2,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:trojan-activity; sid:2021785; rev:3;) Parser failed - skipping rule \.php\?rnd=\d+&id=[0-9A-F]{32,}$ uricontent:".php?rnd=0&id=00000000000000000000000000000000"; |---------------------| Building Rule: 2021786 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- \.php\?id=[0-9A-F]{32,}&rnd=\d+$ uricontent:".php?id=00000000000000000000000000000000&rnd=0"; |---------------------| Building Rule: 2021787 -------- Hex Payload Start ---------- 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021788 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 05 78 73 73 6f 6b 08 62 6c 6f 67 73 70 6f 74 03 63 6f 6d 00 --------- Hex Payload End ----------- ^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10} NOT IMPL not _simple(av) in REPEATING CODES NOT IMPL not _simple(av) in REPEATING CODES content:"0.0.0.0$$$$$$$$$$"; |---------------------| Building Rule: 2021789 -------- Hex Payload Start ---------- 24 24 24 24 24 24 24 24 24 24 20 30 2e 30 2e 30 2e 30 24 24 24 24 24 24 24 24 24 24 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021790 -------- Hex Payload Start ---------- 20 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 69 6e 48 54 54 50 20 45 78 61 6d 70 6c 65 2f 31 2e 30 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021791 Error here within! -------- Hex Payload Start ---------- 00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00 20 00 20 20 20 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021792 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0d 67 61 6d 65 6f 66 74 68 72 6f 6e 65 73 04 64 64 6e 73 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021793 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 63 68 72 6f 6d 65 09 73 65 72 76 65 68 74 74 70 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021794 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 75 70 64 61 74 65 09 67 74 61 6c 6b 6c 69 74 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021795 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 11 74 72 65 6e 64 6d 69 63 72 6f 2d 75 70 64 61 74 65 03 6f 72 67 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021796 -------- Hex Payload Start ---------- 63 68 6b 72 6f 6f 74 32 30 30 37 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021797 Protocol Not Supported |---------------------| Building Rule: 2021798 Protocol Not Supported |---------------------| Building Rule: 2021799 Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021801 Protocol Not Supported |---------------------| Building Rule: 2021802 Protocol Not Supported |---------------------| Building Rule: 2021803 Protocol Not Supported |---------------------| Building Rule: 2021804 Protocol Not Supported |---------------------| Building Rule: 2021805 Protocol Not Supported |---------------------| Building Rule: 2021806 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 04 69 6e 69 74 0f 69 63 6c 6f 75 64 2d 61 6e 61 6c 79 73 69 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021807 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 04 69 6e 69 74 12 69 63 6c 6f 75 64 2d 64 69 61 67 6e 6f 73 74 69 63 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021808 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 04 69 6e 69 74 0f 63 72 61 73 68 2d 61 6e 61 6c 79 74 69 63 73 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021809 Protocol Not Supported |---------------------| Building Rule: 2021810 Protocol Not Supported |---------------------| Building Rule: 2021811 -------- Hex Payload Start ---------- 6d 61 6c 77 61 72 65 20 65 72 72 6f 72 20 38 39 35 2d 73 79 73 74 65 6d 20 33 32 2e 65 78 65 20 52 45 53 4f 4c 56 45 20 54 48 45 20 49 53 53 55 45 20 4f 4e 20 54 4f 4c 4c 20 46 52 45 45 20 2d 20 31 2d 38 35 35 2d 20 44 4f 20 4e 4f 54 20 53 48 55 54 20 44 4f 57 4e 20 4f 52 20 52 45 53 54 41 52 54 --------- Hex Payload End ----------- \/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/"; |---------------------| Building Rule: 2021812 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f --------- Hex Payload End ----------- \/images(?:\/[a-zA-Z0-9_]+)+\.gif$ NOT IMPL not _simple(av) in REPEATING CODES uricontent:"/images.gif"; |---------------------| Building Rule: 2021813 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 20 3a 20 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"|20 7c 20 22|0x"; http_client_body; fast_pattern; content:"_"; distance:0; http_client_body; content:"|22 20 7c 20|"; distance:0; http_client_body; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:trojan-activity; sid:2021814; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021815 Protocol Not Supported |---------------------| Building Rule: 2021816 Protocol Not Supported |---------------------| Building Rule: 2021817 Protocol Not Supported |---------------------| Building Rule: 2021818 Protocol Not Supported |---------------------| Building Rule: 2021819 Protocol Not Supported |---------------------| Building Rule: 2021822 -------- Hex Payload Start ---------- 50 4f 53 54 20 48 6f 73 74 3a 20 69 6e 69 74 2e 69 63 6c 6f 75 64 2d 61 6e 61 6c 79 73 69 73 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021824 Protocol Not Supported |---------------------| Building Rule: 2021825 Protocol Not Supported |---------------------| Building Rule: 2021826 Protocol Not Supported |---------------------| Building Rule: 2021827 Protocol Not Supported |---------------------| Building Rule: 2021828 Protocol Not Supported \.(?:gif|bmp|jpeg|png)$ uricontent:"."; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; uricontent:"."; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3;) Parser failed - skipping rule \.[a-z]{3,4}$ uricontent:".aaa"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; uricontent:".aaa"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021831 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0a 67 72 65 65 6e 73 6b 79 32 37 04 76 69 63 70 03 6e 65 74 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XcodeGhost CnC M2"; flow:established,to_server; content:"POST"; http_method; content:"|00 00 01|"; http_client_body; content:"|00 65 00 0a 95 3a 10 8a 09 25 4e d7 94 5e e9 70 59 e2 95 79|"; http_client_body; distance:1; within:20; classtype:trojan-activity; sid:2021832; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021833 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 36 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 36 2e 30 20 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021834 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 36 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 36 2e 30 20 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021835 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 36 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 36 2e 30 20 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021836 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 36 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 36 2e 30 20 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021837 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 36 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 36 2e 30 20 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021838 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 36 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 36 2e 30 20 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021839 -------- Hex Payload Start ---------- 50 4f 53 54 20 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 36 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 36 2e 30 20 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 20 3a --------- Hex Payload End ----------- ^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe NOT IMPL not _simple(av) in REPEATING CODES content:"ContentloadingPlease wait<iframe"; |---------------------| Building Rule: 2021840 -------- Hex Payload Start ---------- 3c 62 6f 64 79 3e 20 43 6f 6e 74 65 6e 74 6c 6f 61 64 69 6e 67 50 6c 65 61 73 65 20 77 61 69 74 3c 69 66 72 61 6d 65 20 43 6f 6e 74 65 6e 74 20 6c 6f 61 64 69 6e 67 50 6c 65 61 73 65 20 77 61 69 74 3c 69 66 72 61 6d 65 20 73 31 3d 22 6f 66 66 22 6d 61 73 6b 3d 74 72 75 65 --------- Hex Payload End ----------- ^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+ NOT IMPL not _simple(av) in REPEATING CODES content:"top:-0px;0left:-0px;0<iframe 0stack=0"; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; content:"top:-0px;0left:-0px;0<iframe 0stack=0"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern:only; classtype:trojan-activity; sid:2021841; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021842 Protocol Not Supported |---------------------| Building Rule: 2021843 Protocol Not Supported |---------------------| Building Rule: 2021844 Protocol Not Supported |---------------------| Building Rule: 2021845 Protocol Not Supported |---------------------| Building Rule: 2021846 -------- Hex Payload Start ---------- 76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27 27 30 30 27 30 32 29 27 30 32 27 30 30 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021847 -------- Hex Payload Start ---------- 47 45 54 20 --------- Hex Payload End ----------- ^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$ uricontent:"/in/?_BC=0,0,0,0,"; |---------------------| Building Rule: 2021848 -------- Hex Payload Start ---------- 47 45 54 20 20 52 65 66 65 72 65 72 3a 2f 73 6e 69 74 63 68 3f 64 65 66 61 75 6c 74 5f 6b 65 79 77 6f 72 64 3d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021849 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 68 33 36 66 68 76 73 75 70 65 34 6d 69 37 6d 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021850 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 10 37 76 68 62 75 6b 7a 78 79 70 78 68 33 78 66 79 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"P"; depth:1; nocase; http_client_body; content:"myPath = "; nocase; http_client_body; content:"iFold = "; nocase; http_client_body; content:"wallPath = "; nocase; http_client_body; fast_pattern:only; content:"listPath = "; nocase; http_client_body; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021851; rev:4;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"M FSO object created|0d 0a|"; http_client_body; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021852; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A Successfully Installed CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"M STATE|3a 20|INSTALL|0d 0a|"; http_client_body; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021853; rev:3;) Parser failed - skipping rule Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021854; rev:4;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021863 Protocol Not Supported |---------------------| Building Rule: 2021864 Protocol Not Supported |---------------------| Building Rule: 2021865 Protocol Not Supported |---------------------| Building Rule: 2021866 Protocol Not Supported |---------------------| Building Rule: 2021867 Protocol Not Supported |---------------------| Building Rule: 2021868 Protocol Not Supported |---------------------| Building Rule: 2021869 Protocol Not Supported |---------------------| Building Rule: 2021870 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2021871 Protocol Not Supported |---------------------| Building Rule: 2021872 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 48 54 54 50 46 4c 4f 4f 44 7d 53 74 61 72 74 65 64 20 63 6f 6e 73 75 6d 69 6e 67 20 64 61 74 61 20 66 72 6f 6d 20 68 6f 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021873 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 54 43 50 46 4c 4f 4f 44 7d 53 74 61 72 74 65 64 20 73 65 6e 64 69 6e 67 20 74 63 70 20 64 61 74 61 20 74 6f 20 68 6f 73 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021874 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 55 44 50 46 4c 4f 4f 44 7d 20 53 74 61 72 74 65 64 20 73 65 6e 64 69 6e 67 20 75 64 70 20 64 61 74 61 20 74 6f 20 68 6f 73 74 --------- Hex Payload End ----------- ^(?:in|out) content:""; |---------------------| Building Rule: 2021875 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 5d 20 7b 41 55 54 48 7d 20 55 73 65 72 6c 6f 67 67 65 64 20 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021876 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 52 41 57 7d 45 78 65 63 75 74 69 6e 67 20 63 6f 6d 6d 61 6e 64 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021877 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 45 58 45 43 7d 45 78 65 63 75 74 69 6e 67 20 63 6f 6d 6d 61 6e 64 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021878 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 43 48 53 45 52 56 45 52 7d 43 68 61 6e 67 69 6e 67 20 73 65 72 76 65 72 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021879 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 53 54 4f 50 7d 20 53 74 6f 70 20 63 6f 6d 6d 61 6e 64 20 2d 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021880 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 7b 52 45 53 54 41 52 54 7d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021881 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 5d 20 50 72 6f 63 65 73 73 20 66 69 6e 69 73 68 65 64 20 3d 3e 20 54 6f 74 61 6c 20 62 79 74 65 73 20 72 65 61 64 3a 54 6f 74 61 6c 20 62 79 74 65 73 20 73 65 6e 74 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021882 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 54 6f 74 61 6c 20 63 6f 6e 6e 65 63 74 69 6f 6e 73 20 63 6f 6d 70 6c 65 74 65 64 3a 20 54 6f 74 61 6c 20 63 6f 6e 6e 65 63 74 69 6f 6e 73 20 66 61 69 6c 65 64 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021883 -------- Hex Payload Start ---------- 50 52 49 56 4d 53 47 20 20 4d 42 2c 20 41 76 65 72 61 67 65 20 73 70 65 65 64 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021884 Protocol Not Supported |---------------------| Building Rule: 2021885 Protocol Not Supported type limit,track by_src,seconds 300,count 1 |---------------------| Building Rule: 2021886 -------- Hex Payload Start ---------- 0d 0a 58 2d 48 6f 6c 61 2d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021887 Protocol Not Supported |---------------------| Building Rule: 2021888 Protocol Not Supported \.exe$ uricontent:".exe"; |---------------------| Building Rule: 2021889 Error here depth! -------- Hex Payload Start ---------- 47 45 54 20 20 74 20 3a 20 48 6f 73 74 3a 20 77 77 77 2e 71 75 61 76 65 72 73 65 2e 63 6f 6d 0d 0a --------- Hex Payload End ----------- \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phish Outlook Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"outlookuser="; depth:12; nocase; fast_pattern; http_client_body; content:"outlookpassword="; nocase; http_client_body; distance:0; uricontent:".php"; classtype:trojan-activity; sid:2021890; rev:2;) Parser failed - skipping rule \.php$ uricontent:".php"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; content:"&Button"; nocase; http_client_body; distance:0; uricontent:".php"; classtype:trojan-activity; sid:2021892; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021893 -------- Hex Payload Start ---------- 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 3d 50 43 46 45 54 30 4e 55 57 56 42 46 49 47 68 30 62 57 77 2b 44 51 6f --------- Hex Payload End ----------- |---------------------| Building Rule: 2021894 Protocol Not Supported |---------------------| Building Rule: 2021895 Protocol Not Supported |---------------------| Building Rule: 2021896 Protocol Not Supported |---------------------| Building Rule: 2021897 Protocol Not Supported |---------------------| Building Rule: 2021898 Protocol Not Supported \.plist$ uricontent:".plist"; Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; uricontent:".plist"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021902 Protocol Not Supported |---------------------| Building Rule: 2021903 Protocol Not Supported |---------------------| Building Rule: 2021904 Protocol Not Supported ^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep) Parser failed - skipping rule ^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep) Parser failed - skipping rule ^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep) Parser failed - skipping rule |---------------------| Building Rule: 2021908 -------- Hex Payload Start ---------- 66 75 6e 63 74 69 6f 6e 20 63 6b 6c 20 56 49 50 2a 2f --------- Hex Payload End ----------- |---------------------| Building Rule: 2021909 Protocol Not Supported |---------------------| Building Rule: 2021910 Protocol Not Supported |---------------------| Building Rule: 2021911 Protocol Not Supported |---------------------| Building Rule: 2021912 -------- Hex Payload Start ---------- 4e 4f 54 49 43 45 3a 6d 75 42 6f 54 20 50 72 69 76 20 56 65 72 73 69 6f 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021913 -------- Hex Payload Start ---------- 4e 4f 54 49 43 45 3a 6d 75 42 6f 54 20 73 61 79 73 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021914 -------- Hex Payload Start ---------- 4e 4f 54 49 43 45 3a 5b 41 70 61 63 68 65 20 2f 20 50 48 50 20 35 2e 78 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021915 -------- Hex Payload Start ---------- 4e 4f 54 49 43 45 46 4c 4f 4f 44 20 3c 74 61 72 67 65 74 3e 20 3c 70 6f 72 74 3e 20 3c 73 65 63 73 3e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021916 -------- Hex Payload Start ---------- 4e 4f 54 49 43 45 3a 46 6c 6f 6f 64 69 6e 67 20 77 69 74 68 20 54 43 50 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021917 -------- Hex Payload Start ---------- 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 27 6d 20 61 20 6d 75 20 6d 75 20 6d 75 20 3f --------- Hex Payload End ----------- |---------------------| Building Rule: Protocol Not Supported |---------------------| Building Rule: 2021919 -------- Hex Payload Start ---------- 20 20 20 20 20 20 74 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021920 Protocol Not Supported |---------------------| Building Rule: 2021921 Protocol Not Supported |---------------------| Building Rule: 2021922 -------- Hex Payload Start ---------- 20 74 20 2e 20 2e --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neshta.A Posting Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a| multipart/form-data|3b| boundary="; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; nocase; http_header; content:"name=|22|file|22 3b 20|filename=|22|Browser"; http_client_body; fast_pattern:10,20; reference:md5,e93e5af213707ef1888784fa1e709004; classtype:trojan-activity; sid:2021923; rev:3;) Parser failed - skipping rule |---------------------| Building Rule: 2021924 Protocol Not Supported |---------------------| Building Rule: 2021925 Protocol Not Supported |---------------------| Building Rule: 2021926 Protocol Not Supported |---------------------| Building Rule: 2021927 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 03 61 70 73 06 6b 65 6d 6f 67 65 03 6e 65 74 00 --------- Hex Payload End ----------- Unsupported keyword! Error parsing rule contents alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:25; content:"/getInstalledPackages.jsp"; http_uri; fast_pattern:only; content:"sdCardFree="; http_client_body; depth:11; content:"&imei="; http_client_body; distance:0; content:"&hasSd="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021929 -------- Hex Payload Start ---------- 47 45 54 20 20 3a --------- Hex Payload End ----------- |---------------------| Building Rule: 2021930 -------- Hex Payload Start ---------- 53 00 45 00 4c 00 45 00 43 00 54 00 20 00 69 00 6d 00 67 46 00 52 00 4f 00 4d 00 20 00 64 00 62 00 6f 00 2e 00 6e 00 6f 00 76 00 6f 00 73 00 6c 00 6f 00 61 00 64 00 20 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021931 -------- Hex Payload Start ---------- 03 00 64 00 62 00 6f 00 09 00 6e 00 6f 00 76 00 6f 00 73 00 6c 00 6f 00 61 00 64 00 03 69 00 6d 00 67 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e --------- Hex Payload End ----------- |---------------------| Building Rule: 2021935 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 0c 67 6f 6f 67 6c 65 6d 61 6e 61 67 65 03 63 6f 6d 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021936 Error here depth! -------- Hex Payload Start ---------- 20 20 01 00 00 01 00 00 00 00 00 00 06 6f 70 65 72 61 61 03 6e 65 74 00 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021937 Error here within! -------- Hex Payload Start ---------- 55 04 03 20 12 68 74 74 70 73 76 61 6c 69 64 61 74 6f 72 2e 63 6f 6d --------- Hex Payload End ----------- |---------------------| Building Rule: 2021938 Protocol Not Supported ^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27] content:"="a.xap""; Unsupported keyword! Error parsing rule contents alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Oct 08 2015"; flow:established,from_server; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; content:"="a.xap""; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021939; rev:5;) Parser failed - skipping rule |---------------------| Building Rule: 2021940 Protocol Not Supported |---------------------| Building Rule: 2021941 -------- Hex Payload Start ---------- 16 20 4f 57 41 53 50 20 5a 65 64 20 41 74 74 61 63 6b 20 50 72 6f 78 79 20 52 6f 6f 74 20 43 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021942 -------- Hex Payload Start ---------- 16 20 50 6f 72 74 53 77 69 67 67 65 72 20 43 41 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021943 -------- Hex Payload Start ---------- 16 20 44 4f 5f 4e 4f 54 5f 54 52 55 53 54 5f 46 69 64 64 6c 65 72 52 6f 6f 74 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021944 -------- Hex Payload Start ---------- --------- Hex Payload End ----------- |---------------------| Building Rule: 2021945 Protocol Not Supported ^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd) Parser failed - skipping rule |---------------------| Building Rule: 2021947 Error here depth! -------- Hex Payload Start ---------- 20 20 20 20 6c 55 55 45 03 10 48 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --------- Hex Payload End ----------- ^[a-zA-Z0-9]+[01] content:"a0"; Unsupported keyword! Error parsing rule contents alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; content:"a0"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:2;) Parser failed - skipping rule |---------------------| Building Rule: 2021949 -------- Hex Payload Start ---------- 47 45 54 20 20 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 --------- Hex Payload End ----------- |---------------------| Building Rule: 2021950 Protocol Not Supported Loaded 13101 rules succesfully! Loading flowbits rules... found only SET in flowbit name et.WinHttpRequest 2019821,set found only SET in flowbit name ET.Adobe.Site.Download 2017294,set found only SET in flowbit name ET.OneLouder.Header 2018463,set found only SET in flowbit name ms.rdp.established 2014386,set found only SET in flowbit name ET.ass.request 2010757,set found only SET in flowbit name ET.IonCube 2020993,set found only SET in flowbit name ETPRO.MalDocEXEPrimer 2020837,set found only SET in flowbit name ET.zbot.ua.2106509 2016509,set found only SET in flowbit name ET.bd1 2009240,set found only SET in flowbit name ET.Bicololo.Request 2016946,set found only SET in flowbit name ET.BARTALEX 2021531,set found only SET in flowbit name ET.CottonCastle.Exploit 2021307,set found only SET in flowbit name ET.Fareit.chk 2014234,set found only SET in flowbit name is_ssh_server_banner 2013936,set found only SET in flowbit name ET.saturn.checkin 2007751,set