IDS Signatures Grouped by Software Release Version 4

Release adaptation 2.1.1.3

3002-TCP SYN Port Sweep

3003-TCP Frag SYN Port Sweep

3005-TCP FIN Port Sweep

3006-TCP Frag FIN Port Sweep

3010-TCP High Port Sweep

3011-TCP FIN High Port Sweep

3012-TCP Frag FIN High Port Sweep

3015-TCP Null Port Sweep

3016-TCP Frag Null Port Sweep

3020-TCP SYN FIN Port Sweep

3021-TCP Frag SYN FIN Port Sweep

3106-Mail Spam

3107-Majordomo Execute Attack

3221-WWW cgi-viewsource Attack

3222-WWW PHP Log Scripts Read Attack

3223-WWW IRIX cgi-handler Attack

3224-HTTP WebGais

3225-WWW websendmail File Access

3226-WWW Webdist Bug

3227-WWW Htmlscript Bug

3228-WWW Performer Bug

3251-TCP Hijacking Simplex Mode

3400-Sunkill

6180-rexd Attempt

6190-statd Buffer Overflow

Release adaptation 2.1.1

1001-IP options-Record Packet Route

1002-IP options-Timestamp

1004-IP options-Loose Source Route

1006-IP options-Strict Source Route

1102-Impossible IP Packet

1103-IP Fragments Overlap

2100-ICMP Network Sweep w/Echo

2101-ICMP Network Sweep w/Timestamp

2102-ICMP Network Sweep w/Address Mask

2150-Fragmented ICMP Traffic

2153-Smurf

3001-TCP Port Sweep

3100-Smail Attack

3101-Sendmail Invalid Recipient

3102-Sendmail Invalid Sender

3103-Sendmail Reconnaissance

3104-Archaic Sendmail Attacks

3105-Sendmail Decode Alias

3150-FTP Remote Command Execution

3151-FTP SYST Command Attempt

3152-FTP CWD ~root

3153-FTP Improper Address Specified

3154-FTP Improper Port Specified

3200-WWW Phf Attack

3202-WWW .url File Requested

3203-WWW .lnk File Requested

3204-WWW .bat File Requested

3205-HTML File Has .url Link

3206-HTML File Has .lnk Link

3207-HTML File Has .bat Link

3208-WWW campas Attack

3209-WWW Glimpse Server Attack

3210-WWW IIS View Source Attack

3211-WWW IIS Hex View Source Attack

3212-WWW NPH-TEST-CGI Attack

3213-WWW TEST-CGI Attack

3214-IIS DOT DOT VIEW Attack

3215-IIS DOT DOT EXECUTE Attack

3216-WWW Directory Traversal ../..

3217-WWW php View File Attack

3218-WWW SGI Wrap Attack

3219-WWW PHP Buffer Overflow

3220-IIS Long URL Crash Bug

3250-TCP Hijack

3300-NetBIOS OOB Data

3303-Windows Guest Login

3305-Windows Password File Access

3306-Windows Registry Access

3307-Windows Redbutton Attack

3401-Telnet-IFS Match

3500-Rlogin -froot Attack

4001-UDP Port Sweep

4100-Tftp Passwd File

6001-Normal SATAN Probe

6002-Heavy SATAN Probe

6050-DNS HINFO Request

6051-DNS Zone Transfer

6052-DNS Zone Transfer from High Port

6053-DNS Request for All Records

6102-RPC Dump

6150-ypserv Portmap Request

6151-ypbind Portmap Request

6152-yppasswdd Portmap Request

6153-ypupdated Portmap Request

6154-ypxfrd Portmap Request

6155-mountd Portmap Request

6175-rexd Portmap Request

6200-Ident Buffer Overflow

6201-Ident Newline

6250-FTP Authorization Failure

6251-Telnet Authorization Failure

6252-Rlogin Authorization Failure

6253-POP3 Authorization Failure

6255-SMB Authorization Failure

6300-Loki ICMP Tunneling

6302-General Loki ICMP Tunneling

8000:2101-FTP Retrieve Password File

8000:2302-Telnet-/etc/shadow Match

8000:2303-Telnet-+ +

8000:51301-Rlogin-IFS Match

8000:51302-Rlogin-/etc/shadow Match

8000:51303-Rlogin-+ +

10000:1000-IP-Spoof Interface 1

10000:1001-IP-Spoof Interface 2

Release adaptation 1.0

1100-IP Fragment Attack

1101-Unknown IP Protocol

2000-ICMP Echo Reply

2001-ICMP Host Unreachable

2002-ICMP Source Quench

2003-ICMP Redirect

2004-ICMP Echo Request

2007-ICMP Timestamp Request

2008-ICMP Timestamp Reply

2011-ICMP Address Mask Request

2012-ICMP Address Mask Reply

2151-Large ICMP Traffic

2152-ICMP Flood

2154-Ping of Death Attack

3045-Queso Sweep

3050-Half-open SYN Attack

3160-Cesar FTP Buffer Overflow

3450-Finger Bomb

3602-Cisco IOS Identity

050-UDP Bomb

4600-IOS UDP Bomb

5290-Apache Tomcat DefaultServlet File Disclosure

5315-changedisplay.pl WWWthreads Privilege Elevation

5329-Apache/mod_ssl Worm Probe

5332-Wordtrans-web Command Exec

5381-VPASP SQL bang

6100-RPC Port Registration

6101-RPC Port Unregistration

6103-Proxied RPC Request

11013-Mutella File Request

11202-AOL / ICQ Activity

11203- IRC Channel Join

The afterward signatures are not associated with any accurate release.

1105-Broadcast Source Address

1106-Multicast Ip Source Address

IDS Signatures Grouped by Software Release Version 3

• Release version 2.2.1.1

  1104-IP Localhost Source Spoof

  3038-Fragmented NULL TCP Packet

  3039-Fragmented Orphaned FIN packet

  3040-NULL TCP Packet

  3041-SYN/FIN Packet

  3042-Orphaned Fin Packet

  3043-Fragmented SYN/FIN Packet

  3201-Unix Password File Access Attempt

  4054-RIP Trace

  5034-WWW IIS newdsn attack

  5035-HTTP cgi HylaFAX Faxsurvey

  5036-WWW Windows Password File Access Attempt

  5037-WWW SGI MachineInfo Attack

  5038-WWW wwwsql file read Bug

  5039-WWW finger attempt

  5040-WWW Perl Interpreter Attack

  5041-WWW anyform attack

  5042-WWW CGI Valid Shell Access

  5043-WWW Cold Fusion Attack

  5044-WWW Webcom.se Guestbook attack

  5045-WWW xterm display attack

  5046-WWW dumpenv.pl recon

  5047-WWW Server Side Include POST attack

  5048-WWW IIS BAT EXE attack

  5049-WWW IIS showcode.asp access

  5050-WWW IIS .htr Overflow Attack

  6055-DNS Inverse Query Buffer Overflow

  6104-RPC Set Spoof

  6105-RPC Unset Spoof

• Release version 2.2.0.3

  4053-Back Orifice

• Release version 2.2

  4002-UDP Flood

• Release version 2.1.1.6

  3109-Long SMTP Command

  3229-Website Win-C-Sample Buffer Overflow

  3230-Website Uploader

  3231-Novell convert

  3232-WWW finger attempt

  3233-WWW count-cgi Overflow

  3525-IMAP Authenticate Buffer Overflow

  3526-Imap Login Buffer Overflow

  3550-POP Buffer Overflow

  3575-INN Buffer Overflow

  3576-INN Control Message Exploit

  3600-IOS Telnet Buffer Overflow

  3601-IOS Command History Exploit

  4051-Snork

  4052-Chargen DoS

  4150-Ascend Denial of Service

  6118-RPC ttdb Sweep

  6191-RPC.tooltalk buffer overflow

  6192-RPC mountd Buffer Overflow

• Release version 2.1.1.5

  3030-TCP SYN Host Sweep

  3031-TCP FRAG SYN Host Sweep

  3032-TCP FIN Host Sweep

  3033-TCP FRAG FIN Host Sweep

  3034-TCP NULL Host Sweep

  3035-TCP FRAG NULL Host Sweep

  3036-TCP SYN FIN Host Sweep

  3037-TCP FRAG SYN FIN Host Sweep

  3108-MIME Overflow Bug

  6110-RPC RSTATD Sweep

  6111-RPC RUSERSD Sweep

  6112-RPC NFS Sweep

  6113-RPC MOUNTD Sweep

  6114-RPC YPPASSWDD Sweep

  6115-RPC SELECTION_SVC Sweep

  6116-RPC REXD Sweep

  6117-RPC STATUS Sweep

IDS Signatures Grouped by Software Release Version 2

Release adaptation S27

1108-IP Packet with Proto 11

5279-JJ CGi Cmd Exec

5280-IIS idq.dll Agenda Bridge

5281-Carello add.exe Admission

5283-info2www CGI Agenda Bridge

5284- IIS webhits.dll Agenda Bridge

5285-PHPEventCalendar Cmd Exec

5286-WebScripts WebBBS Cmd Exec

Release adaptation S26

3707-Perl fingerd Command Exec

3714-Oracle TNS 'Service_Name' Overflow

5243-CS .cgi Script Cmd Exec

5275-Phorum Remote Cmd Exec

5276-cart.cgi Command Execution

5276:1-cart.cgi vars,env,db Recon

5276:2-cart.cgi Backdoor

5277- dfire.cgi Command Exec

5278-VP-ASP shoptest.asp admission

9015-Back Door Probe (TCP 23432)

9016-Back Door Probe (TCP 5400)

9017-Back Door Probe (TCP 5401)

9018-Back Door Probe (TCP 2115)

9019-Back Door (UDP 2140)

9020-Back Door (UDP 47262)

Release adaptation S25

3705-Tivoli Storage Manager Client Acceptor Overflow

3706-MIT PGP Public Key Server Overflow

5251-Allaire JRun // Agenda Acknowledgment

5262-Large cardinal of Slashes URL

5263-ecware.exe Admission

5265-RedHat cachemgr.cgi Admission

5266-iCat Carbo Server File Acknowledgment

5268-Cisco Catalyst Remote Command Execution

5269-ColdFusion CFDOCS Agenda Admission

5270-EZ-Mall order.log File Admission

5271-search.cgi Agenda Bridge

5272-count.cgi GIF File Acknowledgment

5273-Bannermatic Sensitive File Admission

5274-Netpad.cgi Agenda Traversal/Cmd Exec

Release adaptation S24

3702-Default sa annual admission

5249-IDS Evasive Encoding

5250-IDS Evasive Double Encoding

5252-Allaire JRun Session ID Recon

5253-Axis StorPoint CD Authentication Bypass

5254-Sambar Server CGI Dos Batch File

5255-Linux Agenda traceroute / nslookup Command Exec

5256-Dot Dot Slash in URI

5257-PHPNetToolpack traceroute Command Exec

5258-Script antecedent acknowledgment with CodeBrws.asp

5259-Snitz Forums SQL bang

5260-Xpede sprc.asp SQL Bang

5261-BackOffice Server Web Administration Admission

Release adaptation S23

6199-cachefsd Overflow

Release adaptation S22

6198-rwalld Cord Architecture

9007-Back Door Probe (TCP 1234)

9008-Back Door Probe (TCP 1999)

9009-Back Door Probe (TCP 6711)

9010-Back Door Probe (TCP 6712)

9011-Back Door Probe (TCP 6713)

9012-Back Door Probe (TCP 6776)

9013-Back Door Probe (TCP 16959)

9014-Back Door Probe (TCP 27573)

Release adaptation S21

3704-IIS FTP STAT Denial of Service

5244- PhpSmsSend Command Exec

5245- HTTP 1.1 Chunked Encoding Transfer

5246-IIS ISAPI Filter Buffer Overflow

5247-IIS ASP SSI Buffer Overflow

5248-IIS HTR ISAPI Buffer Overflow

Release adaptation S20

5240-Marcus Xenakis Carapace Command Exec

5241-Avenger System Command Exec

9000-Back Door Probe (TCP 12345)

9001-Back Door Probe (TCP 31337)

9002-Back Door Probe (TCP 1524)

9003-Back Door Probe (TCP 2773)

9004-Back Door Probe (TCP 2774)

9005-Back Door Probe (TCP 20034)

9006-Back Door Probe (TCP 27374)

Release adaptation S19

3166- FTP USER Suspicious Length

3703-Squid FTP URL Buffer Overflow

5232-URL with XSS

5234-pforum sql-injection

5236-Xoops sql-injection

5237-HTTP CONNECT Tunnel

5238-EZNET Ezboard Buffer Overflow

5239-Sambar cgitest.exe Buffer Overflow

Release adaptation S18

3164- Instant Server Mini Portal Agenda Bridge

3405- Avirt Gateway proxy Buffer Overflow

3701-Oracle 9iAS Web Cache Buffer Overflow

5227- AHG Search Engine Command Exec

5229- DCP Portal Root Path Acknowledgment

5230- Lotus Domino Authentication Bypass

5231- MRTG Agenda Bridge

5233-PHP fileupload Buffer Overflow

Release adaptation S17

4507-SNMP Protocol Violation

5223-Pi3Web Buffer Overflow

5224-SquirrelMail SquirrelSpell Command Exec

Release adaptation S16

4506-D-Link Wireless SNMP Plain Text Password

5197-Network Query Tool command Exec

5201-PHP-Nuke Cross Site Scripting

5203- Hosting Controller File Admission and Upload

5205-Apache php.exe File Acknowledgment

5209-Agora.cgi Cross Site Scripting

5210-FAQManager.cgi agenda bridge

5211-zml.cgi File Acknowledgment

5212-Bugzilla Admin Authorization Bypass

5213-Bugzilla Command Exec

5214-FAQManager.cgi absent bytes

5215-lastlines.cgi cmd exec/traversal

5216-PHP Rocket Agenda Bridge

5217-Webmin Agenda Bridge

5218-Boozt Buffer Overflow

5219-Lotus Domino database DoS

5220-CSVForm Remote Command Exec

5221-Hosting Controller Agenda Bridge

Release adaptation S15

3700-CDE dtspcd overflow

Release adaptation S14

3404-SysV /bin/login Overflow

3458-AIM bold allure overflow

3459-ValiCert forms.exe overflow

4058-UPnP LOCATION Overflow

5202- PHP-Nuke File Copy / Delete

5204-AspUpload Sample Scripts

5206-Horde IMP Session Hijack

5207-Entrust GetAccess agenda bridge

5208-Network Tools carapace metacharacters

Release adaptation S13

3117-KLEZ bastard

3118-rwhoisd architecture cord

3119-WS_FTP STAT overflow

3120-ANTS virus

3163-wu-ftpd abundance bribery vulnerability

3403-Telnet Excessive Environment Options

3456- Solaris in.fingerd Information Leak

3501-Rlogin Long TERM Variable

5183-PHP File Inclusion Remote Exec

5191-Active Perl PerlIS.dll Buffer Overflow

5194-Apache Server .ht File Admission

5195-AS/400 '/' advance

5196-Red Hat Stronghold Recon advance

5199-W3Mail Command Exec

5200-IIS Data Stream Antecedent Acknowledgment

IDS Signatures Grouped by Software Release Version

IDS Signatures Grouped by Software Release Version

For configuration management purposes, the following list of signatures is grouped by the software release version from which it was publicly released. For more information regarding these signatures refer to the signature descriptions above or go to www.cisco.com.

• Release version S49

  3327-Windows RPC DCOM Overflow

  3328-Windows SMB/RPC NoOp Sled

• Release version S48

  1109-Cisco IOS Interface DoS

  5380-phpBB SQL injection:

  5382- Xpressions SQL Admin Bypass

  5383-Cyberstrong eShop SQL Injection

  6256- HTTP Authorization Failure

• Release version S47

  5375-Apache mod_dav Overflow

  5376-iisPROTECT Admin SQL Injection

  5377-xp_cmdshell in HTTP args

  5378-Vignette TCL Injection Command Exec

  5379-Windows Media Services Logging ISAPI Overflow

  11204-Jabber Activity

• Release version S46

  3123-NetBus Pro Traffic

  3124-Sendmail prescan Memory Corruption

  3176-Cisco ONS FTP DoS

  3326-Windows Startup Folder Remote Access

  5369-Win32 Apache Batch File CmdExec

  5370-HTDig File Disclosure

  5371-bdir.htr Access

  5372-ASP %20 source disclosure

  5373-IIS 5 Translate: f Source Disclosure

  5374-IIS Executable File Command Exec

  9025-Back Door Probe (TCP 20168)

  9026-Back Door Probe (TCP 1092)

  9027-Back Door Probe (TCP 2018)

  9028-Back Door Probe (TCP 2019)

  9029-Back Door Probe (TCP 2020)

  9030-Back Door Probe (TCP 2021)

  9225-Back Door Response (TCP 20168)

  9226-Back Door Response (TCP 1092)

  9227-Back Door Response (TCP 2018)

  9228-Back Door Response (TCP 2019)

  9229-Back Door Response (TCP 2020)

  9230-Back Door Response (TCP 2021)

  11014-Hotline Client Login

  11015-Hotline File Transfer

  11016-Hotline Tracker Login

  11200-Yahoo Messenger Activity

  11201-MSN Messenger Activity

• Release version S44

  1300-TCP Segment Overwrite

  3325-Samba call_trans2open Overflow

  3732-MSSQL xp_cmdshell Usage

  5367-Apache CR / LF DoS

  5368-Cisco ACS Windows CSAdmin Overflow

  9024-Back Door Probe (TCP 10168)

  9224-Back Door Response (TCP 10168)

  11001-Gnutella Client Request

  11002-Gnutella Server Reply

  11003-Qtella File Request

  11004-Bearshare file request

  11005-KaZaA GET Request

  11006-Gnucleus file request

  11007-Limewire File Request

  11008-Morpheus File Request

  11009-Phex File Request

  11010-Swapper File Request

  11011-XoloX File Request

  11012-GTK-Gnutella File Request

• Release version S43

  3311-SMB: remote SAM service access attempt

  3312-SMB .eml e-mail file remote access

  3313-SMB suspicous password usage

  3320-SMB: ADMIN$ hidden share access attempt

  3321-SMB: User Enumeration

  3322-SMB: Windows Share Enumeration

  3323-SMB: RFPoison Attack

  3324-SMB NIMDA infected file transfer

  4003-Nmap UDP Port Sweep

  5360-Frontpage htimage.exe Buffer Overflow

  5363-Frontpage imagemap.exe Buffer Overflow

  5364-IIS WebDAV Overflow

  5365-Long WebDAV Request

  5366-Shell Code in HTTP URL / Args

  6188-statd dot dot

  6189-statd automount attack

• Release version S42

  5362-FrontPage dvwssr.dll Buffer Overflow

• Release version S41

  3115-Sendmail Data Header Overflow

  5351-MS IE Help Overflow

  5352-H-Sphere Webshell Buffer Overflow

  5353-H-Sphere Webshell 'mode' URI exec

  5354-H-Sphere Webshell zipfile' URI exec

  5355-DotBr exec.php3 exec

  5356-DotBr system.php3 exec

  5357-IMP SQL Injection

  5358-Psunami.CGI Remote Command Execution

  5359-Office Scan CGI Scripts Access

• Release version S40

  3314-Windows Locator Service Overflow

  4614-DHCP request overflow

  9200-Back Door Response (TCP 12345)

  9201-Back Door Response (TCP 31337)

  9202-Back Door Response (TCP 1524)

  9203-Back Door Response (TCP 2773)

  9204-Back Door Response (TCP 2774)

  9205-Back Door Response (TCP 20034)

  9206-Back Door Response (TCP 27374)

  9207-Back Door Response (TCP 1234)

  9208-Back Door Response (TCP 1999)

  9209-Back Door Response (TCP 6711)

  9210-Back Door Response (TCP 6712)

  9211-Back Door Response (TCP 6713)

  9212-Back Door Response (TCP 6776)

  9213-Back Door Response (TCP 16959)

  9214-Back Door Response (TCP 27573)

  9215-Back Door Response (TCP 23432)

  9216-Back Door Response (TCP 5400)

  9217-Back Door Response (TCP 5401)

  9218-Back Door Response (TCP 2115)

  9223-Back Door Response (TCP 36794)

• Release version S39

  4701-MS-SQL Control Overflow

• Release version S38

  5349-Polycom ViewStation Admin Password

  5350-PHPnuke e-mail attachment access

  6064-BIND Large OPT Record DoS

• Release version S37

  3174-SuperStack 3 NBX FTP DOS

  3175-ProFTPD STAT DoS

  3652-SSH Gobbles

  4508-Non SNMP Traffic

  4613-TFTP Filename Buffer Overflow

  5343-Apache Host Header Cross Site Scripting

  5345-HTTPBench Information Disclosure

  5346-BadBlue Information Disclosure

  5347-Xoops WebChat SQL Injection

  5348-Cobalt RaQ Server overflow.cgi Cmd Exec

  7101-ARP Source Broadcast

  7102-ARP Reply-to-Broadcast

  7104-ARP MacAddress-Flip-Flop-Response

  7105-ARP Inbalance-of-Requests

  11000-KaZaA v2 UDP Client Probe

• Release version S36

  5344-IIS MDAC RDS Buffer Overflow

• Release version S35

  4611-D-Link DWL-900AP+ TFTP Config Retrieve

  4612-Cisco IP Phone TFTP Config Retrieve

  5294-BearShare File Disclosure

  5339-SunONE Directory Traversal

  5340-Killer Protection Credential File Access

  5341-HP Procurve 4000M Switch DoS

  5342-Invision Board phpinfo.php Recon

• Release version S34

  3173-Long FTP Command

  3465-Finger Activity

  3502-rlogin Activity

  3604-Cisco Catalyst CR DoS

  5337-Dot Dot Slash in HTTP Arguments

  5338-Front Page Admin password retrival

• Release version S33

  5331-Image Javascript insertion

  5333-FUDForum File Disclosure

  5334- DB4Web File Disclosure

  5335-DB4WEB Proxy Scan

  5336- Abyss Web Server File Disclosure

  9023-Back Door Probe (TCP 36794)

• Release version S32

  5330-Apache/mod_ssl Worm Buffer Overflow

  9021-Back Door (UDP 2001)

  9022-Back Door (UDP 2002)

• Release version S31

  3121-Vintra MailServer EXPN DoS

  3122-SMTP EXPN root Recon

  3165-FTP SITE EXEC

  3168-FTP SITE EXEC Directory Traversal

  3169-FTP SITE EXEC tar

  3170-WS_FTP SITE CPWD Buffer Overflow

  3171-Ftp Priviledged Login

  3172-Ftp Cwd Overflow

  3310-Netbios Enum Share DoS

  3406-Solaris TTYPROMPT /bin/login Overflow

  3457-Finger root shell

  3461-Finger probe

  3462-Finger Redirect

  3463-Finger root

  3464-File access in finger

  3551-POP User Root

  3711-Informer FW1 auth replay DoS

  4061-Chargen Echo DoS

  4509-HP Openview SNMP Hidden Community Name

  4510-Solaris SNMP Hidden Community Name

  4511-Avaya SNMP Hidden Community Name

  4609-Orinoco SNMP Info Leak

  4610-Kerberos 4 User Recon

  5321-Guest Book CGI access

  5322-Long HTTP Request

  5323-midicart.mdb File Access

  5327-Tilde in URI

  5328- Cisco IP phone DoS

  6277-Show Mount Recon

• Release version S30

  2155-Modem DoS

  3730-Trinoo (TCP)

  3731-IMail HTTP Get Buffer Overflow

  4606-Cisco TFTP Long Filename Buffer Overflow

  4607-Deep Throat Response

  4608-Trinoo (UDP)

  5310-INDEX / directory access

  5311-8.3 file name access

  5323-Cisco Router http exec command

  5324-Cisco IOS Query (?/)

  5325-Contivity cgiproc DoS

  5326-Root.exe access

  6275-SGI fam Attempt

  6276-TooltalkDB overflow

• Release version S29

  3728-Long pop username

  3729-Long pop password

  4603-DHCP Discover

  4604-DHCP Request

  4605-DHCP Offer

  5305-.bash_history File Access

  5305:1-.sh_history File Access

  5305:2-.history File Access

  5305:3-.zhistory File Access

  5306-SoftCart storemgr.pw File Access

  5308-rpc-nlog.pl Command Execution

  5309- handler CGI Command Execution

  5312-*.jsp/*.jhtml Java Execution

  5313-order.log File Access

  5316-BadBlue Admin Command Exec

  5317-Tivoli Endpoint Buffer Overflow

  5318-Tivoli ManagedNode Buffer Overflow

  5319-SoftCart orders Directory Access

  5320-ColdFusion administrator Directory Access

• Release version S28

  3167-Format String in FTP username

  3708-AnalogX Proxy Socks4a DNS Overflow

  3709-AnalogX Proxy Web Proxy Overflow

  3710-Cisco Secure ACS Directory Traversal

  5282-IIS ExAir advsearch.asp Access

  5282:1-IIS ExAir search.asp Access

  5282:2-IIS ExAir query.asp Access

  5287-SiteServer AdSamples SITE.CSC File Access

  5288-Verity search97 Directory Traversal

  5289-SQLXML ISAPI Buffer Overflow

  5291-WEB-INF Dot File Disclosure

  5292-SalesCart shop.mdb File Access

  5293-robots.txt File Access

  5295-finger CGI Recon

  5296-Netscape Server PageServices Directory Access

  5297-order_log.dat File Access

  5298-shopper.conf File Access

  5299-quikstore.cfg File Access

  5300-reg_echo.cgi Recon

  5301-/consolehelp/ CGI File Access

  5302-/file/ WebLogic File Access

  5303-pfdispaly.cgi Command Execution

  5304-files.pl File Access

  5314- windmail.exe Command Execution

Sensor Cachet Alarms

Sensor Cachet Alarms

Sensor cachet alarms are acclimated to adviser the bloom of the sensor daemons. Events like daemons action bottomward and daemons unstartable arise back sensor casework abort or cannot be started or restarted. These accord bloom and cachet of the sensor and advice amid the sensor and director.

993-Missed Packet Count: This signature is accursed back the sensor is bottomward packets and the allotment alone can be acclimated to advice you tune the cartage akin you are sending to the sensor. For example, if the alarms appearance that there is a low calculation of alone packets or alike zero, the sensor is ecology the cartage afterwards actuality overutilized. On the added hand, if 993 alarms appearance a aerial calculation alone packets, the sensor may be oversubscribed.

994-Traffic Flow Started: This signature fires back cartage to the analysis interface is detected for the aboriginal time or resuming afterwards an outage. SubSig 1 fires back antecedent arrangement action is detected. SubSig 2 fires back the articulation (physical) band becomes active.

995-Traffic Flow Stopped: subsignature 1 is accursed back no cartage is detected on the analysis interface. You can tune the abeyance for this application the TrafficFlowTimeout parameter. SubSignature 2 is accursed back a concrete articulation is not detected.

993-Missed Packet Count: This signature is accursed back the sensor is bottomward packets and the allotment alone can be acclimated to advice you tune the cartage akin you are sending to the sensor. For example, if the alarms appearance that there is a low calculation of alone packets or alike zero, the sensor is ecology the cartage afterwards actuality overutilized. On the added hand, if 993 alarms appearance a aerial calculation alone packets, the sensor may be oversubscribed.

994-Traffic Flow Started: This signature fires back cartage to the analysis interface is detected for the aboriginal time or resuming afterwards an outage. SubSig 1 fires back antecedent arrangement action is detected. SubSig 2 fires back the articulation (physical) band becomes active.

995-Traffic Flow Stopped: subsignature 1 is accursed back no cartage is detected on the analysis interface. You can tune the abeyance for this application the TrafficFlowTimeout parameter. SubSignature 2 is accursed back a concrete articulation is not detected.

996 - Route Up: This signifies that cartage amid the sensor and administrator has started. Back the casework on the administrator and/or sensor are started this anxiety will arise in the accident viewer.

997 - Route Down: This signifies that cartage amid the sensor and administrator has stopped. Back the casework on the administrator and/or sensor are started this anxiety will arise in the accident viewer.

998 - Daemon Down: One or added of the IDS sensor casework has stopped.

999 - Daemon Unstartable: One or added of the IDS sensor casework is clumsy to be started.

Policy Violation signature series 10000 series

Policy Violation signature series 10000 series

The policy violation signatures apply to ACL violations. If you are not utilizing ACLs these alarms may or may not be utilized. Before you can use these the router(s) and sensor(s) need to be configured accordingly.

• 10000:1000-IP-Spoof Interface 1: This signature fires on notification from the NetSentry device that an IP datagram has been received in which an IP address that is behind the router has been used as a source address in front of the router.

• 10000:1001-IP-Spoof Interface 2: This signature fires on notification from the NetSentry device that an IP datagram has been received in which an IP address that is behind the router has been used as a source address in front of the router.

• 11000-KaZaA v2 UDP Client Probe: Kazaa is a peer-to-peer (P2P) file sharing application distributed by Sharman Networks.

• 11001-Gnutella Client Request: This signature fires when a peer-to-peer client program based on the gnutella protocol sending out a connection request.

• 11002-Gnutella Server Reply: This signature fires when a peer-to-peer server program based on the gnutella protocol replying to a connection request.

• 11003-Qtella File Request: This signature fires when the Qtella peer-to-peer file sharing client request a file from a sever.

• 11004-Bearshare file request: This signature fires when the BearShare peer-to-peer file sharing client request a file from a sever.

• 11005-KaZaA GET Request: The signature fires when a client request to the default KazaA server port (TCP 1214) is detected.

• 11006-Gnucleus file request: This signature fires when the Gnucleaus peer-to-peer file sharing client request a file from a sever.

• 11007-Limewire File Request: This signature fires when the LimeWire peer-to-peer file sharing client request a file from a sever.

• 11008-Morpheus File Request: This signature fires when the Morpheus peer-to-peer file sharing client request a file from a sever.

• 11009-Phex File Request: This signature fires when the Phex peer-to-peer file sharing client request a file from a sever.

• 11010-Swapper File Request: This signature fires when the Swapper peer-to-peer file sharing client request a file from a sever.

• 11011-XoloX File Request: This signature fires when the BearShare peer-to-peer file sharing client request a file from a sever.

• 11012-GTK-Gnutella File Request: This signature fires when the GTK-Gnutella peer-to-peer file sharing client request a file from a sever.

• 11013-Mutella File Request: This signature fires when the Mutella peer-to-peer file sharing client request a file from a sever.

• 11014-Hotline Client Login: This signature is fired when a Hotline client logs into a hotline server.

• 11015-Hotline File Transfer: This signature is fired when a Hotline file transfer is initiated.

• 11016-Hotline Tracker Login: This signature is fired when a Hotline client contacts a Hotline tracker server.

• 11200-Yahoo Messenger Activity: This signature fires when a Yahoo Messenger client login attempt to the default TCP port 5050 is detected.

• 11201-MSN Messenger Activity: This signature fires when an MSN new connection attempt to the default TCP port 1863 is detected.

• 11202-AOL / ICQ Activity: This signature fires when an AOL / ICQ new connection attempt to the default TCP port 5190 is detected.

• 11203- IRC Channel Join: This signature fires when an atempt to join an IRC (Internet Relay Chat) channel is detected.

• 11204-Jabber Activity: This signature fires when a Jabber client login attempt to the default TCP port is detected.

Back Aperture signature alternation 9000 series

Back Aperture signature alternation 9000 series

Back aperture signatures are specific to acclaimed aback doors. These signatures blaze off of action that is targeting the accepted ports and protocols of the backdoor. Any alarms from these signatures should be advised closely. The ports can be acclimated in accurate applications.

9000-Back Aperture Probe (TCP 12345): This signature fires back a TCP SYN packet to anchorage 12345 which is a accepted trojan anchorage for NetBus as able-bodied as the following: Adore sshd, Ashley, cron / crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus Toy, Pie Bill Gates, ValvNet, Whack Job, X-bill.

9001-Back Aperture Probe (TCP 31337): This signature fires back a TCP SYN packet to anchorage 31337 which is a accepted trojan anchorage for BackFire, Aback Orifice, DeepBO, ADM worm, Baron Night, Beeone, bindshell, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, Gummo, Linux Rootkit, Sm4ck, Sockdmini.

9002-Back Aperture Probe (TCP 1524): This signature fires back a TCP SYN packet to anchorage 1524 which is a accepted backdoor placed on machines by worms and hackers.

9003-Back Aperture Probe (TCP 2773): This signature fires back a TCP SYN packet to anchorage 2773 which is a accepted trojan anchorage for SubSeven.

9004-Back Aperture Probe (TCP 2774): This signature fires back a TCP SYN packet to anchorage 2774 which is a accepted trojan anchorage for SubSeven.

9005-Back Aperture Probe (TCP 20034): This signature fires back a TCP SYN packet to anchorage 20034 which is a accepted trojan anchorage for Netbus Pro as able-bodied as NetRex and Whack Job.

9006-Back Aperture Probe (TCP 27374): This signature fires back a TCP SYN packet to anchorage 27374 which is a accepted trojan anchorage for SubSeven as able-bodied as Bad Blood, EGO, Fake SubSeven, Lion, Ramen, Seeker, The Saint, Ttfloader and Webhead.

9007-Back Aperture Probe (TCP 1234): This signature fires back a TCP SYN packet to anchorage 1234 which is a accepted trojan anchorage for SubSeven is detected.

9008-Back Aperture Probe (TCP 1999): This signature fires back a TCP SYN packet to anchorage 1999 which is a accepted trojan anchorage for SubSeven.

9009-Back Aperture Probe (TCP 6711): This signature fires back a TCP SYN packet to anchorage 6711 which is a accepted trojan anchorage for SubSeven.

9010-Back Aperture Probe (TCP 6712): This signature fires back a TCP SYN packet to anchorage 6712 which is a accepted trojan anchorage for SubSeven.

9011-Back Aperture Probe (TCP 6713): This signature fires back a TCP SYN packet to anchorage 6713 which is a accepted trojan anchorage for SubSeven.

9012-Back Aperture Probe (TCP 6776): This signature fires back a TCP SYN packet to anchorage 6776 which is a accepted trojan anchorage for SubSeven.

9013-Back Aperture Probe (TCP 16959): This signature fires back a TCP SYN packet to anchorage 16959 which is a accepted trojan anchorage for SubSeven.

9014-Back Aperture Probe (TCP 27573): This signature fires back a TCP SYN packet to anchorage 27573 which is a accepted trojan anchorage for SubSeven.

9015-Back Aperture Probe (TCP 23432): This signature fires back a TCP SYN packet to anchorage 23432 which is a accepted trojan anchorage for asylum.

9016-Back Aperture Probe (TCP 5400): This signature fires back a TCP SYN packet to anchorage 5400 which is a accepted trojan anchorage for back-construction.

9017-Back Aperture Probe (TCP 5401): This signature fires back a TCP SYN packet to anchorage 5401 which is a accepted trojan anchorage for back-construction.

9018-Back Aperture Probe (TCP 2115): This signature fires back a TCP SYN packet to anchorage 2115 which is a accepted trojan anchorage for bugs.

9019-Back Aperture (UDP 2140): This signature fires back a UDP packet to anchorage 2140 which is a accepted trojan anchorage for deep-throat.

9020-Back Aperture (UDP 47262): This signature fires back a UDP packet to anchorage 47262 which is a accepted trojan anchorage for delta-source.

9021-Back Aperture (UDP 2001): This signature fires back a UDP packet to anchorage 2001 which is a accepted trojan anchorage for the Apache/chunked-encoding worm.

9022-Back Aperture (UDP 2002): This signature fires back a UDP packet to anchorage 2002 which is a accepted trojan anchorage for the Apache/mod_ssl worm.

9023-Back Aperture Probe (TCP 36794): This signature fires back a TCP SYN packet to anchorage 36794 which is a accepted trojan anchorage for NetBus as able-bodied as the following: Bugbear

9024-Back Aperture Probe (TCP 10168): This signature fires back a TCP SYN packet to anchorage 10168 which is a accepted trojan anchorage for lovegate.

9025-Back Aperture Probe (TCP 20168): This signature fires back a TCP SYN packet to anchorage 20168 which is a accepted trojan anchorage for lovegate.

9026-Back Aperture Probe (TCP 1092): This signature fires back a TCP SYN packet to anchorage 1092 which is a accepted trojan anchorage for lovegate.

9027-Back Aperture Probe (TCP 2018): This signature fires back a TCP SYN packet to anchorage 2018 which is a accepted trojan anchorage for fizzer.

9028-Back Aperture Probe (TCP 2019): This signature fires back a TCP SYN packet to anchorage 2019 which is a accepted trojan anchorage for fizzer.

9029-Back Aperture Probe (TCP 2020): This signature fires back a TCP SYN packet to anchorage 2020 which is a accepted trojan anchorage for fizzer.

9030-Back Aperture Probe (TCP 2021): This signature fires back a TCP SYN packet to anchorage 2021 which is a accepted trojan anchorage for fizzer.

9200-Back Aperture Response (TCP 12345): This signature fires back a TCP SYN/ACK packet from anchorage 12345 which is a accepted trojan anchorage for NetBus as able-bodied as the following: Adore sshd, Ashley, cron / crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus Toy, Pie Bill Gates, ValvNet, Whack Job, X-bill.

9201-Back Aperture Response (TCP 31337): This signature fires back a TCP SYN/ACK packet from anchorage 31337 which is a accepted trojan anchorage for BackFire, Aback Orifice, DeepBO, ADM worm, Baron Night, Beeone, bindshell, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, Gummo, Linux Rootkit, Sm4ck, Sockdmini.

9202-Back Aperture Response (TCP 1524): This signature fires back a TCP SYN/ACK packet from anchorage 1524 which is a accepted backdoor placed on machines by worms and hackers.

9203-Back Aperture Response (TCP 2773): This signature fires back a TCP SYN/ACK packet from anchorage 2773 which is a accepted trojan anchorage for SubSeven.

9204-Back Aperture Response (TCP 2774): This signature fires back a TCP SYN/ACK packet from anchorage 2774 which is a accepted trojan anchorage for SubSeven.

9205-Back Aperture Response (TCP 20034): This signature fires back a TCP SYN/ACK packet from anchorage 20034 which is a accepted trojan anchorage for Netbus Pro as able-bodied as NetRex and Whack Job.

9206-Back Aperture Response (TCP 27374): This signature fires back a TCP SYN/ACK packet from anchorage 27374 which is a accepted trojan anchorage for SubSeven as able-bodied as Bad Blood, EGO, Fake SubSeven, Lion, Ramen, Seeker, The Saint, Ttfloader and Webhead.

9207-Back Aperture Response (TCP 1234): This signature fires back a TCP SYN/ACK packet from anchorage 1234 which is a accepted trojan anchorage for SubSeven.

9208-Back Aperture Response (TCP 1999): This signature fires back a TCP SYN/ACK packet from anchorage 1999 which is a accepted trojan anchorage for SubSeven.

9209-Back Aperture Response (TCP 6711): This signature fires back a TCP SYN/ACK packet from anchorage 6711 which is a accepted trojan anchorage for SubSeven.

9210-Back Aperture Response (TCP 6712): This signature fires back a TCP SYN/ACK packet from anchorage 6712 which is a accepted trojan anchorage for SubSeven.

9211-Back Aperture Response (TCP 6713): This signature fires back a TCP SYN/ACK packet from anchorage 6713 which is a accepted trojan anchorage for SubSeven.

9212-Back Aperture Response (TCP 6776): This signature fires back a TCP SYN/ACK packet from anchorage 6776 which is a accepted trojan anchorage for SubSeven.

9213-Back Aperture Response (TCP 16959): This signature fires back a TCP SYN/ACK packet from anchorage 16959 which is a accepted trojan anchorage for SubSeven.

9214-Back Aperture Response (TCP 27573): This signature fires back a TCP SYN/ACK packet from anchorage 27573 which is a accepted trojan anchorage for SubSeven.

9215-Back Aperture Response (TCP 23432): This signature fires back a TCP SYN/ACK packet from anchorage 23432 which is a accepted trojan anchorage for asylum.

9216-Back Aperture Response (TCP 5400): This signature fires back a TCP SYN/ACK packet from anchorage 5400 which is a accepted trojan anchorage for back-construction.

9217-Back Aperture Response (TCP 5401): This signature fires back a TCP SYN/ACK packet from anchorage 5401 which is a accepted trojan anchorage for back-construction.

9218-Back Aperture Response (TCP 2115): This signature fires back a TCP SYN/ACK packet from anchorage 2115 which is a accepted trojan anchorage for bugs.

9223-Back Aperture Response (TCP 36794): This signature fires back a TCP SYN/ACK packet from anchorage 36794 which is a accepted trojan anchorage for NetBus as able-bodied as the following: Bugbear

9224-Back Aperture Response (TCP 10168): This signature fires back a TCP SYN/ACK packet from anchorage 10168 which is a accepted trojan anchorage for lovegate.

9225-Back Aperture Response (TCP 20168): This signature fires back a TCP SYN/ACK packet from anchorage 20168 which is a accepted trojan anchorage for lovegate.

9226-Back Aperture Response (TCP 1092): This signature fires back a TCP SYN/ACK packet from anchorage 1092 which is a accepted trojan anchorage for lovegate.

9227-Back Aperture Response (TCP 2018): This signature fires back a TCP SYN/ACK packet from anchorage 2018 which is a accepted trojan anchorage for fizzer.

9228-Back Aperture Response (TCP 2019): This signature fires back a TCP SYN/ACK packet from anchorage 2019 which is a accepted trojan anchorage for fizzer.

9229-Back Aperture Response (TCP 2020): This signature fires back a TCP SYN/ACK packet from anchorage 2020 which is a accepted trojan anchorage for fizzer.

9230-Back Aperture Response (TCP 2021): This signature fires back a TCP SYN/ACK packet from anchorage 2021 which is a accepted trojan anchorage for fizzer.

String Matching signature series 8000 series

String Matching signature series 8000 series

These signatures are highly configurable. They allow you to look for specific strings in the payload of a packet. If an attack is underway and there is not already a signature for it, a temporary string match can be put in place to help mitigate some of the risk.

• 8000:2101-FTP Retrieve Password File: This signature fires on string passwd issued during an FTP session.

• 8000:2302-Telnet-/etc/shadow Match: This signature fires on string /etc/shadow issued during a telnet session.

• 8000:2303-Telnet-+ +: This signature fires on string + + issued during a telnet session.

• 8000:51301-Rlogin-IFS Match: This signature fires when an attempt to change the IFS to / is done during a rlogin session.

• 8000:51302-Rlogin-/etc/shadow Match: This signature fires on string /etc/shadow issued during a rlogin session.

• 8000:51303-Rlogin-+ + : This signature fires on string + + issued during a rlogin session.

ARP signature series 7000 series

ARP signature series 7000 series

The 7000 series covers all ARP type traffic. Do not look for any of these in software versions prior to 4.0.

• 7101-ARP Source Broadcast: The sensor saw ARP packets with an ARP payload Source MAC broadcast address.

• 7102-ARP Reply-to-Broadcast: The sensor saw an ARP Reply packet with its payload Destination MAC containing a broadcast address.

• 7104-ARP MacAddress-Flip-Flop-Response: The sensor saw a set of ARP response packets where the ARP payload Mac-to-Ip mapping changed more than MacFlip number of times.

• 7105-ARP Inbalance-of-Requests: The sensor saw many more requests than it saw replies for an IP address out of the ARP payload.

  Note

  The 7000 series signatures are only available in Cisco IDS versions 4.0 and newer.

Cross Agreement signature alternation 6000 series

Cross Agreement signature alternation 6000 series

Cross agreement signatures ascertain attacks that amount assorted protocols. For example, RPC casework advance both TCP and UDP. DNS and affidavit failures are some of the added action covered in the 6000 series.

6001-Normal SATAN Probe: This is a supersignature that is accursed back a anchorage ambit arrangement produced by the SATAN apparatus is detected.

6002-Heavy SATAN Probe: This is a supersignature that is accursed back a anchorage ambit arrangement produced by the SATAN apparatus is detected.

6050-DNS HINFO Request: This signature fires on an advance to admission HINFO annal from a DNS server.

6051-DNS Area Transfer: This signature fires on accustomed DNS area transfers, in which the antecedent anchorage is 53.

6052-DNS Area Alteration from High Port: This signature fires on an adulterine DNS area transfer, in which the antecedent anchorage is not according to 53.

6053-DNS Appeal for All Records: This signature fires on a DNS appeal for all records. Similar to a area alteration in that it provides a adjustment for appointment DNS annal from a server to addition requesting host.

6054-DNS Adaptation Request: This signature fires back a appeal for the adaptation of a DNS server is detected.

6055-DNS Inverse Concern Absorber Overflow: This signature fireswhen an IQUERY appeal arrives with a abstracts area that is beyond than 255 characters.

6056-DNS NXT Absorber Overflow: This signature fireswhen a DNS server acknowledgment arrives that has a continued NXT ability area the breadth of the ability abstracts is > 2069 bytes OR the breadth of the TCP beck absolute the NXT ability is > 3000 bytes.

6057-DNS SIG Absorber Overflow: This signature fireswhen a DNS server acknowledgment arrives that has a continued SIG ability area the breadth of the ability abstracts is > 2069 bytes OR the breadth of the TCP beck absolute the SIG ability is > 3000 bytes.

6058-DNS SRV DoS: Alarms back a DNS concern blazon SRV and DNS concern chic IN is detected with added than ten arrow all-overs in the SRV ability record.

6059-DNS TSIG Overflow: Alarms back a DNS concern blazon TSIG is detected and the area name is greater than 255.

6060-DNS accuse overflow: Alarms back an NS almanac is detected with a area name greater than 255 and the IP abode is 0.0.0.0, 255.255.255.255 or a multicast of anatomy 224.X.X.X.

6061-DNS infoleak: Alarms back a DNS IQUERY is detected with a almanac abstracts Breadth greater than 4 and Chic IN.

6062-DNS authors request: Alarms back a DNS concern blazon TXT chic CHAOS is detected with cord "Authors.Bind". This is not case sensitive.

6063-DNS Incremental area transfer: Alarms back a DNS concern blazon of 251 is detected.

6064-BIND Ample OPT Almanac DoS: This signature will blaze if a DNS appeal with a OPT ability almanac absolute a ample UDP burden breadth is detected.

6100-RPC Anchorage Registration: This signature fires back attempts are fabricated to annals new RPC casework on a ambition host.

6101-RPC Anchorage Unregistration: This signature fires back attempts are fabricated to unregister absolute RPC casework on a ambition host.

6102-RPC Dump: This signature fires back an RPC dump appeal is issued to a ambition host.

6103-Proxied RPC Request: This signature fires back a proxied RPC appeal is beatific to the portmapper of a ambition host.

6104-RPC Set Spoof: This signature fires back an RPC set appeal with a antecedent abode of 127.x.x.x is detected.

6105-RPC Unset Spoof: This signature fires back an RPC unset appeal with a antecedent abode of 127.x.x.x is detected.

6110-RPC RSTATD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the RSTATD program.

6111-RPC RUSERSD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the RUSERSD program.

6112-RPC NFS Sweep: This signature fires back RPC requests are fabricated to abounding ports for the NFS program.

6113-RPC MOUNTD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the MOUNTD program.

6114-RPC YPPASSWDD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the YPPASSWDD program.

6115-RPC SELECTION_SVC Sweep: This signature fires back RPC requests are fabricated to abounding ports for the SELECTION_SVC program.

6116-RPC REXD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the REXD program.

6117-RPC STATUS Sweep: This signature fires back RPC requests are fabricated to abounding ports for the STATUS program.

6118-RPC ttdb Sweep: This signature fires on an advance to admission the tooltalk database apparition on assorted ports on a distinct host.

6150-ypserv Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP server apparition (ypserv) port.

6151-ypbind Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP bind apparition (ypbind) port.

6152-yppasswdd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP countersign apparition (yppasswdd) port.

6153-ypupdated Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP amend apparition (ypupdated) port.

6154-ypxfrd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP alteration apparition (ypxfrd) port.

6155-mountd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the arise apparition (mountd) port.

6175-rexd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the alien beheading apparition (rexd) port.

6180-rexd Attempt: This signature fires back a anxiety to the rexd affairs is made. The alien beheading apparition is the server amenable for alien affairs execution.

6188-statd dot dot: This signature alarms aloft audition a dot dot carve (../) arrangement beatific to the statd RPC service.

6189-statd automount attack: This signature alarms aloft audition a statd animation advance on the automount process.

Note Signatures 6188 and 6189 are alone accessible in Cisco IDS versions 4.0 and newer.

6190-statd Absorber Overflow: This signature fires back a ample statd appeal is sent. This could be an advance to overflow a absorber and accretion admission to arrangement resources.

6191-RPC.tooltalk absorber overflow: This signature fires back an advance is fabricated to overflow an centralized absorber in the tooltalk rpc program.

6192-RPC mountd Absorber Overflow: This signature fires on an advance to overflow a absorber in the RPC mountd application.

6193-RPC CMSD Absorber Overflow: This signature fires back an advance is fabricated to overflow an centralized absorber in the Calendar Manager Account Daemon, rpc.cmsd.

6194-sadmind RPC Absorber Overflow: This signature fires back a anxiety to RPC affairs cardinal 100232 action 1 with a UDP packet breadth > 1024 bytes is detected.

6195-RPC amd Absorber Overflow: Signature 6195 will ascertain the corruption of the RPC AMD Absorber Overflow vulnerability.

6196-snmpXdmid Absorber Overflow: This signature fires back an abnormally continued anxiety to the RPC affairs 100249 (snmpXdmid) and action 257 is detected.

6197-rpc yppaswdd overflow: This anxiety blaze back an overflow advance is detected back beatific to yppaswdd RCP-based application.

6198-rwalld Cord Format: This signature fires if an almighty continued bulletin is detected actuality beatific to the RPC account rwalld.

6199-cachefsd Overflow: This anxiety blaze back an overflow advance is detected back beatific to cachefsd, an RCP-based application.

6200-Ident Absorber Overflow: This signature fires back a server allotment an IDENT acknowledgment that is too large.

6201-Ident Newline: This signature fires back a server allotment an IDENT acknowledgment that includes a newline followed by added data.

6210-LPRng architecture Cord Overflow: Alarms back an the aboriginal lpr command in a datastream is invalid (first byte != 1-9 ascii) and the breadth to the aboriginal LF is greater than 256.

6250-FTP Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize an FTP session.

6251-Telnet Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize a telnet session.

6252-Rlogin Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize an rlogin session.

6253-POP3 Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize a POP3 session.

6255-SMB Authorization Failure: This signature fireswhen a applicant fails Windows NTs (or Sambas) user affidavit three or added after times aural a distinct SMB session.

6256- HTTP Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to log into a anchored HTTP website.

6275-SGI fam Attempt: This signature detects accesses to the SGI fam RPC daemon. Attackers can use this account to accretion advice about files on the accessible system.

6276-TooltalkDB overflow: This signature will anxiety aloft audition an rpc affiliation to rpc affairs cardinal 100083 application action 103 with an absorber greater than 1024.

6277-Show Arise Recon: This signature alarms aloft audition an RPC anxiety to appearance all mounts on an NFS server.

6300-Loki ICMP Tunneling: Loki is a apparatus advised to run an alternate affair that is hidden aural ICMP traffic.

6302-General Loki ICMP Tunneling: This signature fires back an alterity of ICMP answer replies to answer requests is detected.

6350-SQL Concern Abuse: This signature fires if a baddest concern is issued application the OPENROWSET() action with an ad hoc exec account in it.

6500-RingZero Trojan: The RingZero Trojan consists of an advice alteration (ITS) abettor and a anchorage scanning (PST) agent.

6501-TFN Applicant Request: TFN audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant TFN commands beatific from a TFN CLIENT —TO-> a SERVER.

6502-TFN Server Reply: TFN audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant TFN commands beatific from a TFN SERVER —TO-> CLIENT.

6503-Stacheldraht Applicant Request: Stacheldraht audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant commands beatific from a Stacheldraht CLIENT —TO—> SERVER.

6504-Stacheldraht Server Reply: Stacheldraht audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant commands beatific from a Stacheldraht SERVER —TO—> CLIENT.

6505-Trinoo Applicant Request: Trinoo audience acquaint by absence on UDP anchorage 27444 application a absence command set.

6506-Trinoo Server Reply: Trinoo servers acknowledgment to audience by absence on UDP anchorage 31335 application a absence command set.

6507-TFN2K Ascendancy Traffic: TFN2K is a Distributed Denial of Account tool.

6508-Mstream Ascendancy Traffic: This signature identifies the ascendancy cartage amid both the antagonist <-> applicant (aka handler), and amid the applicant (aka handler) <-> server (aka abettor or daemon).

6901-Net Flood ICMP Reply: This signature fires back a configurable beginning for ICMP Blazon 0 (Echo Reply) cartage is crossed.

6902-Net Flood ICMP Request: This signature fires back a configurable beginning for ICMP Blazon 8 (Echo Request) cartage is crossed.

6903-Net Flood ICMP Any: This signature fires back a configurable beginning for all ICMP cartage is crossed.

6910-Net Flood UDP: This signature fires back a configurable beginning for all UDP cartage is crossed.

6920-Net Flood TCP: This signature fires back a configurable beginning for all TCP cartage is crossed.

Note By default, signatures 6901, 6902, 6903, 6910, and 6920 are disabled. To use either or all of these signatures aboriginal accredit them, set the "Rate" constant to zero, and run for a aeon of time. This is what is alleged analytic mode. They are a amazing ability hog and should not be larboard on.

UDP signatures 4000 series

UDP signatures 4000 series

The 4000 alternation is specific to UDP. Just to brace your memory, UDP is an capricious protocol. They are a "send and pray" blazon of packet. You never apperceive if they fabricated it to their destination or not. Abounding of these signatures can account astronomic amounts of logs. Cisco has disabled best of these by default. Make abiding you assay your cartage afore enabling them.

4001-UDP Anchorage Sweep: This signature fires aback a alternation of UDP admission to a cardinal of altered destination ports on a specific host accept been initiated. This is an indicator of a assay ambit of your network. Be alert of potentially added austere attacks.

4002-UDP Flood

4003-Nmap UDP Anchorage Sweep: This signature fires aback a alternation of UDP admission to several altered advantaged ports (port cardinal <>

4050-UDP Bomb: This signature fires aback the UDP breadth defined is beneath than the IP breadth specified. This abnormal packet blazon is associated with a abnegation of account attempt. Remember there is not any accepted use for abnormal packets.

4051-Snork: This signature fires aback a UDP packet with a antecedent anchorage of either 135, 7, or 19 and a destination anchorage of 135 is detected. If you accept Windows applications that are application anchorage 135, they should be afar from battlefront this signature.

4052-Chargen DoS: This signature fires aback a UDP packet is detected with a antecedent anchorage of 7 and a destination anchorage of 19.

4053-Back Orifice: This signature fires aback the IDS ascertain cartage advancing from the Aback Orifice server that is active on the network.

Note Aback Orifice is a "backdoor" affairs that can be installed on a Microsoft Windows 95 or Windows 98 arrangement acceptance alien ascendancy of the system.

4054-RIP Trace: This signature fireswhen TRACEON or TRACEOFF commands are enabled for the packet.

4055-BackOrifice BO2K UDP: BO2K UDP approach is a basal agreement of BackOrifice. Seeing this cartage indicates a non-stealth use of the BO2K toolkit.

4056-NTPd readvar overflow: This signature will blaze is a readvar command is apparent with ntp abstracts that is too ample for the ntp apparition to capture.

4058-UPnP LOCATION Overflow: This signature alarms aloft audition a ample area appeal beatific to a UPnP device.

4060-Back Orifice Ping: Alarms aback a BO Ping detector is acclimated to browse a network.

4061-Chargen Answer DoS: This signature detects packets destined for the anchorage 7UDP wich is the answer anchorage with the chargen account anchorage 19 as the source. This after-effects in the capacity of the packet actuality "echoed" aback to the antecedent IP address, which may be spoofed.

4100-Tftp Passwd File: Fires on an advance to admission the passwd book application TFTP. This signature is a acceptable indicator that an advance to accretion crooked admission to arrangement assets is occurring.

4101-Cisco TFTPD Directory Traversal: Alarms aback a TFTP appeal is fabricated by appending ../ to the pathname.

4150-Ascend Abnegation of Service: This signature fires aback an advance has been fabricated to accelerate a maliciously abnormal command to an arise router in an advance to blast the router.

4500-Cisco IOS Anchored SNMP Association Names: Assertive versions of Cisco IOS accommodate anchored association names that could possibly acquiesce a alien antagonist to view, modify, or both, SNMP MIB variables. This could advance to a denial-of-service advance or absolute arrangement compromise. There are two altered Cisco artefact advisories apropos the association names. Make abiding you analysis those for added information.

Note The aboriginal anchored association name "ILMI" is a read-write association name that allows admission to the MIB-II Arrangement MIB and assorted ATM accompanying MIBS. Alien users can adapt SNMP variables such as the arrangement name, contact, and location, and abounding of the ATM interface variables.

The additional anchored association name "cable-docsis" is a read-write association cord that was alien as allotment of the abutment for the DOCSIS cable-industry standard. It allows a alien user to adapt or appearance any SNMP capricious on the afflicted system, including actuality able to retrieve the arrangement configuration.

4501-Cisco CVCO/4K Alien Username/Password return: This signature detects attempts to admission the account of arrangement usernames and passwords on a Cisco Virtual Central accessory application SNMP. The passwords are encrypted with a triusesl encoding scheme. This signature fires aback an SNMP OID fragment 1.3.6.1.886.1.1.1.1 is detected.

4502-SNMP Password Brute Force Attempt: This signature detects attempts to brute-force assumption association names. A beginning (default of 5) is set and fires aback added than this beginning of different association names amid a antecedent and destination in a defined time breach is detected.

4503-SNMP NT Info Retrieve: This signature fires aback an advance to accretion admission to acute advice about a assertive Windows NT arrangement is made. There are two SubSigIds associated with signature 4503. SubSigId 0 fires aback an advance is fabricated to enumerate the account of usernames with SNMP OID .1.3.6.1.4.1.77.1.2.25. SubSigId 1 fires aback an advance is fabricated to enumerate the account of arrangement shares with SNMP OID .1.3.6.1.4.1.77.1.2.27.

4504-SNMP IOS Agreement Retrieval: This signatures fires aback an advance to retrieve the agreement from a Cisco IOS device. This signature fires aback the SNMP OID contains the arrangement .1.3.6.1.4.1.9.2.1.55 as a prefix.

4505-SNMP VACM MIB Access: This signature fires aback SNMP OID fragment .1.3.6.1.6.3.16.1.2.1.3 is akin in an advance to admission the SNMP v2 View-based Admission Ascendancy MIB (VACM) table. The SNMP v2 View-based Admission Ascendancy MIB (VACM) table contains all of the SNMP association names in clear-text.

4506-D-Link Wireless SNMP Plain Text Password: This signature fireswhen MIB OID 1.3.6.1.4.1.937.2.1.2.2.0 is accessed with association cord "public".

4507-SNMP Agreement Violation: This signature fires aback an absurdity in adaptation the SNMP agreement is detected.

4508-Non SNMP Traffic: This signature fires aback non-SNMP cartage is detected destined for anchorage 161UDP.

Note This signature is alone accessible in Cisco IDS versions 4.0 and newer.

4509-HP Openview SNMP Hidden Association Name: This signature fires aback the SNMP association name 'snmpd' is detected in a SNMP request.

4510-Solaris SNMP Hidden Association Name: This signature fires aback the SNMP association name 'all private' is detected in a SNMP request.

4511-Avaya SNMP Hidden Association Name: This signature fires aback the SNMP association name 'all private' is detected in a SNMP request.

4600-IOS UDP Bomb: This signature fires aback break formed SYSLOG transmissions apprenticed for anchorage 514UDP are detected.

4601: 0-CheckPoint Firewall RDP Bypass: This signature fires aback traffic, destined for anchorage 259UDP with the afterward patterns is detected:

SubSig 0: 0x80 0x00 0x00 0x96

SubSig 1: 0x80 0x00 0x00 0x80

SubSig 2: 0x80 0x00 0x00 0x64

SubSig 3: 0x80 0x00 0x00 0x65.

4601:1-CheckPoint Firewall RDP Bypass: Alarms aback afterward command is beatific to anchorage 259UDP "\\x80\\x00\\x00\\x64".

4601:2-CheckPoint Firewall RDP Bypass: Alarms aback the afterward command is beatific to anchorage 259UDP "\\x80\\x00\\x00\\x96".

4601:3-CheckPoint Firewall RDP Bypass: Alarms aback the afterward command is beatific to anchorage 259UDP "\\x80\\x00\\x00\\x80".

4603-DHCP Discover: This signature fires aback DHCP analysis attempts from audience are made. This is an indicator of crooked attempts to affix to the network. Accepted DHCP analysis attempts can account this signature to blaze an alarm.

4604-DHCP Request: This signature fires aback DHCP applicant requests are detected. This is an indicator of crooked attempts to affix to the network. Accepted DHCP analysis attempts can account this signature to blaze an alarm.

4605-DHCP Offer: This fires aback DHCP charter offers from a DHCP server are fabricated This is an indicator of crooked attempts to affix to the network. Accepted DHCP offers can account this signature to blaze an alarm.

4606-Cisco TFTP Continued Filename Absorber Overflow: This signature fires aback a TFTP appeal for a book with an abnormally continued name is detected. This is an indicator of a absorber overflow.

4607-Deep Throat Response: This signature fires aback the cord "My Mouth is Open" is detected in a UDP packet beatific on acclaimed Deep Throat UDP ports.

4608-Trinoo (UDP): This signature fires aback the cord "trinoo" is detected on any UDP anchorage accepted to accept Trinoo traffic.

4609-Orinoco SNMP Info Leak: This signature fires aback a distinctively crafted packet is detected with a destination of UDP anchorage 192. This is a acceptable indicator that attempts are actuality fabricated to retrieve the SNMP association names from the target.

4610-Kerberos 4 User Recon: This signature fires a absent appearance beatific to UDP anchorage 750 is detected. This is a acceptable indicator that a Kerberos user recon advance may be occurring.

4611-D-Link DWL-900AP+ TFTP Config Retrieve: This signature fires aback a TFTP appeal for the book 'config.img' is detected. This in an indicator of an attempted assay probe. If you are active this D-Link apparatus accustomed authoritative assignment can account this alarm.

4612-Cisco IP Phone TFTP Config Retrieve: This signature fires aback a TFTP appeal for a Cisco IP Phone agreement book is detected. This may announce an attempted assay attack.

4613-TFTP Filename Absorber Overflow: This signature fires aback a TFTP apprehend or address appeal with a filename absolute a non-printable appearance is detected. This may be an adumbration of a absorber overflow attack.

4614-DHCP appeal overflow: This signature fires aloft audition a ample dhcp appeal to anchorage 67. The archetypal dhcp appeal is absolutely baby in admeasurement and shouldn't blaze this signature. If this signature fires, the cartage needs to be investigated.

4701-MS-SQL Ascendancy Overflow: This signature fires aback a absorber overflow advance to the MS-SQL ascendancy anchorage (UDP 1434) is made. This is and indicator the "Slammer" bastard is present.

Web/HTTP signature series 5000

Web/HTTP signature series 5000

The 5000 series of signatures is the largest group. The signatures focus on different types of Web attacks. Buffer overflows, directory traversal, and illegal uploading and downloading of files are just a few examples.

• 5034-WWW IIS newdsn attack: This signature fires when attempts are made to run the newdsn.exe command from the http server. This could be indicative of a remote denial of service attack attempt. This particular command could be used to fill up the target host's file system.

• 5035-HTTP cgi HylaFAX Faxsurvey: This signature fires when an attempt is made to pass commands to the CGI program faxsurvey. A problem in the CGI program faxsurvey, included with the HylaFAX package from SGI, allows an attacker to execute commands on the host machine. These commands will execute at the privilege level of the HTTP server. There are no legitimate reasons to pass commands to the faxsurvey command. This signature indicates abuse and the source should be shunned.

• 5036-WWW Windows Password File Access Attempt: This alarm is fired when an attempt is made to retrieve either the current or backup copy of the NT password file throught a web server.

  • Sub ID: 1: Backup copy

  • Sub ID: 2: Current

• 5037-WWW SGI MachineInfo Attack: This alarm is fired when an attempt is made to retrieve either the current or backup copy of the NT password file through a web server.

  • Sub ID: 1: Backup Copy

  • Sub ID: 2: Current

• 5038-WWW wwwsql file read Bug: This signature fireswhen an attempt is made to read files in the cgi-bin directory by the www-sql script. This could indicate that a remote attacker is trying to download cgi-bin scripts and access otherwise protected directories under DocumentRoot.

• 5039-WWW finger attempt: This signature fires when an attempt is made to run the finger program using the http server. It is recommended that all unnecessary programs be removed from the cgi-bin directory.

• 5040-WWW Perl Interpreter Attack: This signature fires when someone attempts to pass and execute Perl commands on the server through a perl interpreter. These commands will execute with the privilege level of the Web Server. If successful, an attacker may gain unauthorized access and remotely execute commands. This can lead to further system access (including root access) and malicious activity. The source address for this signature should be shunned.

• 5041-WWW anyform attack: This signature fireswhen an attacker attempts to execute arbitrary commands through the anyform cgi-bin script. The source address for this attack should be shunned.

• 5042-WWW CGI Valid Shell Access: This signature fires when attempts are made to access a valid shell or interpreter on the targeted system. Shells include:

  • Sub ID: 1: bash

  • Sub ID: 2: tcsh

  • Sub ID: 3: ash, bsh, csh, ksh, jsh, or zsh

  • Sub ID: 4: sh

  • Sub ID: 5: Java interpreter

  • Sub ID: 6: Python interpreter

• 5043-WWW Cold Fusion Attack: This signature fireswhen attempts are made to access example scripts that are shipped with the Cold Fusion Servers. The source address for this signature should be shunned.

  • Sub ID 1: indicates an attempt to access the openfile script. This scripts allows an attacker to upload files to the target host or server.

  • Sub ID 2 indicates an attempt to access displayopenedfile.cfm. This could indicate that a remote attacker is trying to access files on the target host or server.

  • Sub ID 3 indicates an attempt to upload files to a Cold Fusion server through the exprcalc.cfm script. This can be used to overwrite files on the target server or host.

• 5044-WWW Webcom.se Guestbook attack: This signature fires when an attacker attempts to execute arbitrary commands through Webcom.se's rguest.exe or wguest.exe cgi-bin script. The source address for this attack should be shunned.

• 5045-WWW xterm display attack: This signature fires when any cgi-bin script attempts to execute the command xterm -display. This is an indicator someone is trying to login to your network illegally. There is not a legitimate use for someone to execute xterm –display. Any hosts attempting this command should be shunned.

• 5046-WWW dumpenv.pl recon: This signature fires when an attempt is made to display information about the targeted host with the dumpenv.pl script. Some webservers include this script, which is intended to show environmental information about the server. External attempts should be scrutinized thoroughly. In most cases the source should be shunned.

• 5047-WWW Server Side Include POST attack: This signature fires when attempts are made to embed a server side include (SSI) in an http POST command. This is an indicator someone is trying to access system resources without authorization.

• 5048-WWW IIS BAT EXE attack: This signature fires when an attempt is made to execute remote commands on a Microsoft IIS 1.0-2.0b web server. This may indicate an attempt to illegally access system resources.

• 5049-WWW IIS showcode.asp access: This signature fireswhenever an attempt is made to access the showcode.asp Active Server Page. This script allows for arbitrary access to any file on the targets file system. Hosts that attempt to access this file, especially from outside your network, should be shunned.

• 5050-WWW IIS .htr Overflow Attack: This signature fires when an .htr buffer overrun attack is detected, indicating a possible attempt to execute remote commands, or cause a denial of service against the targeted Windows NT IIS server. Hosts that attempt to cause this type of alarm, especially from outside your network, should be shunned.

• 5051-IIS Double Byte Code Page: IIS contains a vulnerability that could allow a web site visitor to view the source code for selected files on the server. However, this is based on the servers default language. The vulnerability only applies to default languages set to Chinese, Japanese or Korean.

• 5052-FrontPage Extensions PWD Open Attempt: This signature fires when attempts are made to open a configuration file on a Microsoft Personal Webserver (for Windows) or FrontPage extensions (for UNIX) web server.

• 5053-FrontPage _vti_bin Directory List Attempt: This signature fies when attempts are made to list the directory of binaries from a Microsoft Personal Webserver (for Windows) or FrontPage extensions (for UNIX) web server.

• 5054-WWWBoard Password: This signature fires when CGI scans are detected looking for WWWBoard services. WWWBoard has several vulnerabilities and should be used with great care.

• 5055-HTTP Basic Authentication Overflow: This signature fires when extremely large usernames and passwords are detected during authentication. This can cause a buffer overflow.

• 5056-WWW Cisco IOS %% DoS: This signature fires when attempts to crash a Cisco IOS-based product using the HTTP management interface is detected. Certain versions of IOS incorrectly interpret the characters "%%" when sent to the HTTP management interface. This can result in a router crashing, causing the need for the power to be cycled to restore normal operation.

  The affected operating system versions are: Cisco IOS 11.3AA,11.3DB,12.0x,11.3,11.2 SA,12.0T,12.0W5,12.0XA,12.0XE,12.0XH,12.0XJ,12.1,12.1AA,12.1DA,12
  .1DB,12.1DC,12.1E,12.1EC,12.1T,12.1XA,12.1XB,12.1XC,12.1XD,12.1X
  E,12.1XF,12.1XG,12.1XH,12.1XI,12.1XJ,12.1XL,12.1XP,11.2P,11.2,1
  1.1,11.0,11.1CC, and 12.0.

  The affected software versions are: Cisco IOS 11.2SA,12.0T,12.0W5,12.0XA,12.0XE,12.0XH,12.0XJ,12.1,12.1AA,12.1D
  A,12.1DB,12.1DC,12.1E,12.1EC,12.1T,12.1XA,12.1XB,12.1XC,12.1XD,1
  2.1XE,12.1XF,12.1XG,12.1XH,12.1XJ,12.1XL,12.1XP,11.2P,11.2,11.1,11.3
  (1.2),11.3(1.2)T,11.3,11.2(10)P,11.1(14)CA, and 11.1CC.

  The affected services are: HTTP Web on ports 80/TCP and 8080/TCP>

• 5057-WWW Sambar Samples: This signature fires when an attempt has been made to access certain CGI programs that contain known vulnerabilities shipped with the Sambar web server. Those programs are echo.bat and hello.bat.

• 5058-WWW info2www Attack: This signature fires when an attempt is made to execute commands with the info2www CGI program.

• 5059-WWW Alibaba Attack: This signature fires when an attempt is made to execute commands using certain CGI programs shipped with the Alibaba web server. Those programs are get32.exe, alibaba.pl, and tst.bat.

• 5060-WWW Excite AT-generate.cgi Access: This signature fires when an attempt is made to access the CGI program AT-generate.cgi. Administrator passwords for the Excite Web Server application could be changed. If you feel your system has been subject to this type of activity have your system administrator verify the administrator passwords.

• 5061-WWW catalog_type.asp Access: This signature fires when an attempt is made to access the vulnerable sample ASP file catalog_type.asp.

• 5062-WWW classifieds.cgi Attack: This signature fires when an attempt has been made to execute commands with the CGI program classifieds.cgi.

• 5063-WWW dmblparser.exe Access: This signature fires when an attempt is made to access the CGI program dmblparser.exe.

• 5064-WWW imagemap.cgi Attack: This signature fires when an attempt is made to cause a buffer overflow in the CGI program imagemap.cgi.

• 5065-WWW IRIX infosrch.cgi Attack: This signature fires when an attempt is made to execute commands using the IRIX CGI program infosrch.cgi.

• 5066-WWW man.sh Access: An attempt has been to access the CGI shell script man.sh.

• 5067-WWW plusmail Attack: This signature fires when an attempt has been made to change the PlusMail administrator password. The attacker could possibly gain full control of the PlusMail program. If this is suspected have the system administrator verify the password.

• 5068-WWW formmail.pl Access: This signature fires when an attempt is made to access the CGI program formmail.pl.

• 5069-WWW whois_raw.cgi Attack: This signature fires when an attempt is made to access to possibly execute commands using the CGI program Cdomain whois_raw.cgi.

• 5070-WWW msadcs.dll Access: This signature fires when an attempt is made to access the CGI program msacds.dll. This is an indicator a reconnaissance session is occurring for a possible later attack to exploit the IIS RDS vulnerability. The affected operating system versions are Windows NT Server 4.0. The affected software and program versions are IIS 4.0 and 3.0. The affected services are: HTTP Web 80/TCP 8080/TCP, HTTPS Web 443/TCP

• 5071-WWW msacds.dll Attack: This signature fires when an attempt is made to execute commands or view secured filed, with privileged access. This type of activity should be scrutinized closely and administrators should audit and validate the system from which the activity has been detected. This is a very common attack used to deface websites.

• 5072-WWW bizdb1-search.cgi Attack: An attempt has been made to execute commands or view files with the privileges of the web server using the CGI program bizdb1-search.cgi.

• 5073-WWW EZshopper loadpage.cgi Attack: An attempt has been made to execute commands or view files with the privileges of the web server using the CGI program loadpage.cgi.

• 5074-WWW EZshopper search.cgi Attack: An attempt has been made to execute commands or view files with the privileges of the web server using the CGI program EZshopper search.cgi.

• 5075-WWW IIS Virtualized UNC Bug: An attempt has been made to view the source of an ASP file. A bug exists in certain versions of Microsofts IIS web server which allow an attacker to view of the source of ASP, and other files if the IIS virtual directory they reside in has been mapped to a UNC share.

• 5076-WWW webplus bug: An attempt was made to gain access to files outside the web server directories using the CGI program webplus.

• 5077-WWW Excite AT-admin.cgi Access: An attempt has been made to access the CGI program AT-admin.cgi.

• 5078-WWW Piranha passwd attack: An attempt has been made to access the vulnerable cgi script passwd.php3 with suspicious arguments. This is found in the piranha/secure/ directory.

• 5079-WWW PCCS MySQL Admin Access: The PCCS PHP-based MySQL administration tool contains a file with the databases administrator's username and password. This may not seem like much of a problem except it can be accessed remotely.

• 5080-WWW IBM WebSphere Access: This signature fires when someone attempts to access a JSP file using a URL like http://server/servlet/file/login.jsp potentially revealing the JSP source code.

• 5081-WWW WinNT cmd.exe Access: This signature fires when the use of the Windows NT cmd.exe is detected in a URL.

• 5083-WWW Virtual Vision FTP Browser Access: This signature fires when an attempt to traverse directories in a URL like http://server/cgi-bin/ftp/ftp.pl?dir=../../etc is detected.

• 5084-WWW Alibaba Attack 2: This signature fires when a pipe (|) character is detected in a URL like http://server/cgi-bin/|post32.exe or http://server/cgi-bin/|sindex2.bat.

• 5085-WWW IIS Source Fragment Access: This signature fires when a URL ending in "+.htr" is detected.

• 5086-WWW WEBactive Logfile Access: This signature fires when an attempt to access the WEBactive logfile is detected.

• 5087-WWW Sun Java Server Access: This signature fires when an attempt to access URL's like http://server/pservlet.html or http://server/servlet/sunexamples.RealmDumpServlet are detected.

• 5088-WWW Akopia MiniVend Access: This signature fires when an attempt to access a URL like http://server/view_page.html is detected.

• 5089-WWW Big Brother Directory Access: This signature fires when an attempt to traverse directories with the Big Brother CGI program bb-hostsvc.sh has been detected.

• 5090-WWW FrontPage htimage.exe Access: This signature fires when the FrontPage CGI program is accessed with a filename argument ending with "0,0".

• 5091-WWW Cart32 Remote Admin Access: This signature fireswhen an attempt is made to access the vulnerable cart32.exe cgi script with suspicious arguments: /cart32.exe/cart32clientlist or /c32web.exe/changeadminpassword.

• 5092-WWW CGI-World Poll It Access: This signature fires when an attempt is made to access the Poll-It CGI using an internal script variable name "data_dir" as an argument in the HTTP request.

• 5093-WWW PHP-Nuke admin.php3 Access: An attempt has been made to access the vulnerable PHP-Nuke admin.php3 cgi script using suspicious arguments.

• 5095-WWW CGI Script Center Account Manager Attack: This signature fires when an attempt to change the administrator password of the CGI Script Center Account Manager is detected.

• 5096-WWW CGI Script Center Subscribe Me Attack: This signature fires when an attempt to change the administrative password of the CGI Script Center Subscribe package is detected.

• 5097-WWW FrontPage MS-DOS Device Attack: This signature fireswhen a URL is requested using the shtml.exe component of FrontPage that includes an MS-DOS device name. A denial of service can result from this URL request.

• 5099-WWW GWScripts News Publisher Access: This signature fires when attempt to add an author to the GWScripts News Publisher interface is detected.

• 5100-WWW CGI Center Auction Weaver File Access: This signature fires when an attempt to access normally inaccessible files using the CGI script auctionweaver.pl has.

• 5101-WWW CGI Center Auction Weaver Attack: This signature fires when an attempt to execute an unauthorized command using the auctionweaver.pl CGI script is detected.

• 5102-WWW phpPhotoAlbum explorer.php Access: This signature fires when unauthorized attempt to access files using the explorer.php CGI script is detected.

• 5103-WWW SuSE Apache CGI Source Access: This signature fires when an attempt to access the /cgi-bin-sdb directory of a web server is detected.

• 5104-WWW YaBB File Access: This signature fires when an attempt to read unauthorized files using the YaBB.pl CGI bulletin board program is detected.

• 5105-WWW Ranson Johnson mailto.cgi Attack: This signature fires when an attempt to execute system commands using the mailto.cgi program is detected.

• 5106-WWW Ranson Johnson mailform.pl Access: This signature fires when an attempt to access the "mailform.pl" has been detected.

• 5107-WWW Mandrake Linux /perl Access: This signature fires when an attempt to access the URL path /perl directly has been detected.

• 5108-WWW Netegrity Site Minder Access: This signature fires when an unauthorized attempt to access protected content on a website managed by Netegrity Site Minder using an authentication bypass method is detected. Looks for strings like "/$/somefile.ccc" in a URL.

• 5109-WWW Sambar Beta search.dll Access: This signature fires when an unauthorized attempt to access files or directories using the Sambar Server search.dll CGI program is detected.

• 5110-WWW SuSE Installed Packages Access: This signature fires when an attempt to access the URL /doc/packages is detected.

• 5111-WWW Solaris Answerbook 2 Access: This signature fires when an attempt to add a user to the AnswerBook interface is detected.

• 5112-WWW Solaris Answerbook 2 Attack: This signature fires when attempt to execute an unauthorized command using the access / error rotation feature of the administrative interface of AnswerBook 2 is detected.

• 5113-WWW CommuniGate Pro Access: This signature fires when an unauthorized attempt to access files using the Communigate Pro web interface is detected.

• 5114-WWW IIS Unicode Attack: This signature fires when an attempt to exploit the Unicode ../ directory traversal vulnerability is detected. Looks for the commonly exploited combinations which are included in publicly available exploit scripts.

• 5115-Netscape Enterprise Server with ?wp Tags: This signature fires when certain Netscape Enterprise Server 3.x HTML tags are detected in use. These tags allow remote users to view the contents of directories on the web servers. In most cases they should be disabled if not in use.

  Each of the HTML tags are as follows:

  • SubSigId 0 - ?wp-cs-dump

  • SubSigId 1 - ?wp-ver-info

  • SubSigId 2 - ?wp-html-rend

  • SubSigId 3 - ?wp-usr-prop

  • SubSigId 4 - ?wp-ver-diff

  • SubSigId 5 - ?wp-verify-link

  • SubSigId 6 - ?wp-start-ver .

• 5116-Endymion MailMan Remote Command Execution: This signature fires when the perl function open() is used on Endymion MailMan. This allows user-supplied input containing shell metacharacters to be executed as shell commands with the privilege level of the CGI script.

• 5117-phpGroupWare Remote Command Exec: phpGroupWare is a multi-user groupware suite that is freely distributed. There exists a problem in the software could allow users to remotely execute malicious code by exploiting a vulnerable include() command.

• 5118-eWave ServletExec 3.0C File Upload: UploadServlet is a servlet that ServletExec contains in its server side classes. UploadServlet, when invoked with a special formed HTTP or GET request, allows an attacker to upload any file to any directory on the server. The uploaded file may have code that can later be executed on the server, leading to remote command execution.

• 5119-CGI Script Center News Update Admin Passwd Change: Newsup, a cgi script from the CGI Script Center allows password changes to the administrator account without proper verification. Every time a person changes a news update administrator password this signature will trigger.

• 5120-Netscape Server Suite Buffer Overflow: This signature will fire if the value of the "content" variable sent to the CGI program "search is longer that 1000 bytes. The Netspace Server administrative interface is installed on TCP port 24326 by default.

• 5121-iPlanet .shtml Buffer Overflow: This signature fires if a request with more than 180 characters between slashes (/ or ) is received with a .shtml suffix.

• 5122-Nokia IP440 Denial of Service: This signature will fire if more than 6000 characters are send with a specifically formed request on a web port.

• 5123- WWW IIS Internet Printing Overflow: There are two subsignatures associated with this signature.

  • SubSig 0: This alarm will fire if web traffic is detected sending an abnormally large GET request with a large 'Host' field. Both are

  • SubSig1: This signature firesupon detecting .printer in a URI argument field with a large argument field length.

• 5124-IIS CGI Double Decode: This signature fires when a doubly obfuscated attempt to traverse the directory structure of a web server is detected. Certain versions of the IIS web server perform a second pass decode of the arguments sent to a CGI program. During this second pass decode, the IIS server erroneously reevaluates the already decoded path portion of the URL. An attacker can manipulate the path portion of a URL in such a way as to hide characters, such as ../, which would normally be filtered out during the first pass decode of the URL.

  This signature will alarm if the following characters are found in a deobfuscated HTTP request:

  • SubSig 0 - %2e (.)

  • SubSig 1 - %2f (/)

  • SubSig 2 - %5c ()

• 5125-PerlCal Directory Traversal: This alarm will fire if a '../' is present in a HTTP request to the CGI script 'make_cal.pl'.

• 5126-WWW IIS .ida Indexing Service Overflow: This vulnerability will alarm if web traffic is detected with the ISAPI extension of .ida? and a data size of greater 200 chars.

• 5127-WWW viewsrc.cgi Directory Traversal: This alarm will fire if a ../ is used while requesting viewsrc.cgi using the web.

• 5128-WWW nph-maillist.pl Cmd Exec: This alarm will fire if the cgi script nph-maillist.pl is used with the parameter e-mailaddress having a semicolon (;) in its argument.

• 5129-IOS HTTP Unauth Command Execution: This signature fires when a HTTP attempt to bypass router authentication to execute privileged (level 15) commands is detected. The HTTP request looks like: http:///level/XX/exec/... where XX is 16 - 99.

  There are two subsignatures IDs:

  • SubSig 0 fires when XX is between 16 and 19 inclusive.

  • SubSig 1 fires when XX is between 20 and 99 inclusive.

• 5130-Bugzilla globals.pl: This signature fires when an HTTP request for the file 'globals.pl' is detected.

• 5131-talkback.cgi Directory Traversal: This signature fires when an HTTP access to talkback.cgi attempting traverse outside the normal directory structure is detected.

• 5132-VirusScan catinfo Buffer Overflow: This signature fires when an abnormally long request is made to the CGI script 'catinfo', which is part of the Interscan VirusWall management interface.

• 5133-Net.Commerce Macro Path Disclosure: This signature fires when a HTTP request to 'macro.d2w', with NOEXISTINGHTMLBLOCK appended to the end of the path, is detected.

• 5134-MacOS PWS DoS: This signature fires when an abnormally long HTTP request like "/?aaaa..." is detected.

• 5138-Oracle Application Server Shared Library Overflow: Alarms when a URL containing more than 2050 characters is sent to a Oracle server.

• 5140-Net.Commerce Macro Denial of Service: This signature fires when an abnormally long HTTP request has been made to the CGI script 'macro.d2w', which causes the server to crash.

• 5141-NCM content.pl SQL Query Vulnerability: Alarms when content.pl is detected in the URL with '<' or '>' characters.

• 5142-DCShop File Disclosure: This signature fires when an HTTP request to one of two files is detected.

  • SubSigId 0 - /DCShop/Orders/orders.txt

  • SubSigId 1 - /DCShop/Auth_data/auth_user_file.txt

• 5143-Microsoft Media Player ASX Overflow: Alarms when detects a large string in BANNER.HREF field.

• 5146-MS-DOS Device Name DoS: This is referred to as the "DOS Device in Path Name" vulnerability. Microsoft Windows 95, 98, and 98SE will allow an attacker to cause a DoS by using a pathname that includes file device names. The DOS device names are reserved words, and cannot be used as folder or file names.

  The following subsignatures IDs correspond to the reserved DOS device names:

  • Subsig 0 alarms when /aux is detected in the URL.

  • Subsig 1 alarms when /CON is detected in the URL.

  • Subsig 2 alarms when /NUL is detected in the URL

  • Subsig 3 alarms when /PRN is detected in the URL

  • Subsig 4 alarms when /LPT1 through /LPT9 is detected in the URL

  • Subsig 5 alarms when /COM1 through /COM9 is detected in the URL

  • Subsig 6 alarms when /CLOCK$ is detected in the URL

  • Subsig 7 alarms when /CONFIG$ is detected in the URL

  • Subsig 8 alarms when /XMSXXXX0 is detected in the URL

  • Subsig 9 alarms when /$MMXXXX0 is detected in the URL

  • Subsig 10 alarms when /MSCD000 is detected in the URL

  • Subsig 11 alarms when /DBLBUFF$ is detected in the URL

  • Subsig 12 alarms when /EMMXXXX0 is detected in the URL

  • Subsig 13 alarms when /IFS$HLP$ is detected in the URL

  • Subsig 14 alarms when /SETVERXX is detected in the URL

  • Subsig 15 alarms when /SCSIMGR$ is detected in the URL

  • Subsig 16 alarms when /DBLSBIN$ is detected in the URL

  • Subsig 17 alarms when /MS$MOUSE is detected in the URL.

• 5147-Arcadia Internet Store Directory Traversal Attempt: This signature fires when an attempt is made to pass ../.. as a template argument to the tradecli.dll for the Internet Directory Store program.

• 5148-Perception LiteServe Web Server CGI Script Source Code Disclosu: Alarms when a MS-DOS style CGI directory name is contained in a web request.

• 5149-Trend Micro Interscan Viruswall Configuration Modification: Alarms when interscan.dll is accessed.

• 5150-InterScan VirusWall RegGo.dll Buffer Overflow: Alarms when RegGo.dll is sent a buffer greater than 820 bytes in length.

• 5151-WebStore Admin Bypass: Detects when an attempt to bypass the administrative authentication of the WebStore application is made.

• 5152-WebStore Command Exec: This signature fires when an attempt to execute unauthorized commands with WebStore application is detected.

• 5154-WWW uDirectory Directory Traversal: Alarms when udirectory.pl is called with an arguments that contains a '../.' .

• 5155-WWW SiteWare Editor Directory Traversal: Alarms if SWEditServlet is called with a '../' as an argument.

• 5156-WWW Microsoft fp30reg.dll Overflow: Alarms if fp30reg.dll is detected with a argument size that is greater than 258 bytes.

• 5157-Tarantella TTAWebTop.CGI Directory Traversal Bug: This signature fires when an attempt is made to pass ../.. as a value for the pg argument to the ttawebtop.cgi program.

• 5158-iPlanet Proprietary Method Overflow: This alarm will fire if a supported method is requested with arguments of greater than 2000 characters. Unless an iPlanet web server is being used on your network this alarm should be disabled. Many web forms contain GET/POST methods when used with large sets of arguments could cause this signature to fire.

  The following subsignatures IDs correspond to the iPlanet proprietary methods:

  • Sub Sig 0 DELETE

  • Sub Sig 1 INDEX

  • Sub Sig 2 PUT

  • Sub Sig 3 MOVE

  • Sub Sig 4 MKDIR

  • Sub Sig 5 POST

  • Sub Sig 6 COPY

  • Sub Sig 7 EDIT

  • Sub Sig 8 UNEDIT

  • Sub Sig 9 SAVE

  • Sub Sig 10 LOCK

  • Sub Sig 11 UNLOCK

  • Sub Sig 12 REVLABEL

  • Sub Sig 13 REVLOG Sub

  • Sig 14 REVADD

  • Sub Sig 15 REVNUM

  • Sub Sig 16 SETATTRIBUTE

  • Sub Sig 17 GETATTRIBUTE

  • Sub Sig 18 GETATTRIBUTENAMES

  • Sub Sig 19 GETPROPERTIES

  • Sub Sig 20 STARTREV

  • Sub Sig 21 STOPREV

• 5159-phpMyAdmin Cmd Exec: The trigger will fire upon detecting access to sql.php with the arguments 'goto' and 'btnDrop=No'.

• 5160-Apache ? indexing file disclosure bug: This signature fires when attempts to view directories on web servers with certain strings in the URLs. The URL types are:

  • Sub Sig 0: /directory/?M=A

  • Sub Sig 1: /directory/?S=D.

• 5160:1-Apache ? indexing file disclosure bug: This signature fires on attempts to view directories on web servers with certain strings in the URLs. The URL types are:

  • Sub Sig 0: /directory/?M=A

  • Sub Sig 1: /directory/?S=D

• 5161-SquirrelMail Command Exec: This signature fires when an attempt to insert malicious PHP code in to the CGI script 'options_order.php' is detected in a HTTP request.

• 5162-Active Classifieds Command Exec: This signature fires when attempt is detected to insert arbitrary Perl code into an HTTP request to 'admin.cgi'.

• 5163-Mambo SiteServer Administrative Password ByPass: Alarms when a request with index2.php is detected with a UID of administrator.

• 5164-PHPBB Remote SQL Query Manipulation: Alarms when an user_level 4 is sent to prefs.php.

• 5165-php-nuke article.php sql query: This signature will fire when it detects a web request to 'article.php' with the arguments of mainfile and prefix. Valid requests can cause false positives.

• 5166-php-nuke modules.php DoS: This will fire when it detects access to modules.php with an argument's value of '../'.

• 5167-phpMyAdmin Cmd Exec 2: This signature fires when attempt to execute unauthorized PHP commands using phpMyAdmin is detected. The following subsignatures are associated with their PHP commands:

  • SubSig 0: illegitimate use of the CGI script 'tbl_copy.php'.

  • SubSig 1: illegitimate use of the CGI script 'tbl_rename.php'.

• 5168-Snapstream PVS Directory Traversal Bug: Fires on an attempt to use '../' to traverse the directory tree on a webserver listening on port 8129.

• 5169-SnapStream PVS Plaintext Password Vulnerability: This signature fireswhen an attempt to touch the ssd.ini file is detected on port 8129.

• 5170-NULL byte in URI: This signature fires when a URL request ending in the character '' is detected.

• 5171-NC-Book book.cgi Cmd Exec: This signature fireswhen 'book.cgi' is accessed with arguments that contain pipes (|). The CGI script is located in /ncbook/.

• 5172-WinWrapper Admin Server Directory Traversal: Alarms when the classic directory traversal '../' is detected on port 4096.

• 5173-Directory Manager Cmd Exec: This signature firesif edit_image.php is called with the parameter 'userfile_name' that contains a semicolon (;). The server does not filter these out. As long as the user is required to authenticate on the webserver this vulnerability is eliminated.

• 5174-phpmyexplorer directory traversal: This signature fireswhen index.php is access with a parameter of 'chemin' whose value contains a '../'.

• 5175-Hassan Shopping Cart Command Exec: This signature fires when an attempt to execute unauthorized commands using the CGI script 'shop.pl' is detected.

• 5176-Exchange Address List Disclosure: This signature fires when an attempt to retrieve addresses from the Global Address Book using the Exchange Outlook Web Access interface is detected. False positives can occur because of legitimate queries to the Exchange server.

• 5178-MS Index Server File/Path Recon: This signature fires when the 'SQLQHit.asp' file is accessed with a certain argument, 'CiColumns' containing a wildcard (*).

• 5179-PHP-Nuke File Upload: This signature fires when an attempt to upload a file using the 'admin.php' CGI script is detected.

• 5180-sgiMerchant Directory Traversal: This signature fires when the 'view_item' file is accessed with a certain value , '../', in the parameter html_file.

• 5181-MacOS Apache File Disclosure: This signature fires when certain patterns are detected at the end of HTTP requests. The following is a list of subsignatures and their associated patterns:

  • SubSig 0 - '/.DS_Store'

  • SubSig 1 - '/.FBCIndex'

• 5181:1-MacOS Apache File Disclosure: This signature fires when './FBCIndex' is detected in a URL.

• 5182-WebDiscount's eShop Arbitrary Command Exec: This signature fires when certain shell meta-characters are detected as part of the input to the Perl script eShop.pl. The characters are (;) and (|).

• 5183-PHP File Inclusion Remote Exec: This signature fires when there is an attempt made by a PHP script to retrieve a file using HTTP for execution. Legitimate use of PHP scripts can cause false positives.

• 5184-Apache Authentication Module ByPass: This signature firesupon detecting a select statement on the Authorization line of an HTTP header.

• 5188-HTTP Tunneling: This signature fires when HTTP Tunneling tools are detected in use. These tunneling tools allow users inside your private network to bypass the firewall to access services such as ftp, chat etc. This would be considered in violation of most security policies and pose a real threat to internal networks and should not be allowed.

  • SubSig 0: This signature, GotomyPC, fires when a computer connects to the GotomyPC site.

  • SubSig 1: This signature, FireThru, fires when an attempt is made to use /cgi-bin/proxy is detected. The cgi-bin/proxy is used to tunnel connections to other ports using web ports.

  • SubSig 2: This signature, HTTP Port, fires when a connection is made to exectech-va.com. The site runs a server, which connects a requested resource and returns the information using web ports.

  • SubSig 3: This signature, httptunnel, fires when '/index/html?crap' is detected on POST request.

• 5191-Active Perl PerlIS.dll Buffer Overflow: The Signature fires when a filename greater than 300 characters is seen in a URL with the '.pl' extension.

• 5194-Apache Server .ht File Access: This signature fires when an HTTP request to specific files is detected. The files are:

  • SubSig 0: .htaccess

  • SubSig 1: .htpasswd

  • SubSig 2: .htgroup

• 5195-AS/400 '/' attack: This signature fires when a GET request with '.jsp/' on the end is detected. Unless you are running an IBM AS/400 web server you should disable this signature. This signature can cause false positives.

• 5196-Red Hat Stronghold Recon attack: This signature fires when a HTTP request is detect to specific files. Those files are:

  • SubSig 0: stronghold-info

  • SubSig 1: stronghold-status

• 5197-Network Query Tool command Exec: This signature fires when attempts are made to pass shell metacharacters to the 'nqt.php' or 'network_query.php' variables.

• 5199-W3Mail Command Exec: This signature fires if an attempt to execute commands in a HTTP request to the CGI program 'sendmessage.cgi' is detected.

• 5200-IIS Data Stream Source Disclosure: This signature fires when attempts are made to access a file using HTP with the '::$DATA' extension. This extension looks peculiar itself and any sightings should be scrutinized thoroughly.

• 5201-PHP-Nuke Cross Site Scripting: Cross site scripting occurs when web applications gather malicious data from a user. This data is gathered in the form of a hyperlink that contains the malicious content within it. The subsignatures associated with PHP-Nuke Cross Site Scipting are:

  • SubSig 0: This signature fires if 'user.php' is accessed and the parameter uname contains a HTML script directive.

  • SubSig 1: This signature fires when 'modules.php' is accessed and the parameter title contains a HTML script directive.

  • SubSig 2: This signature fires when 'phptonuke.php' is accessed and the parameter 'filenavn' contains a HTML script directive.

• 5202- PHP-Nuke File Copy / Delete: This signature fires when attempts are made to either copy or delete files using the PHP-Nuke administrator filemanger. The subsignatures associated with this signature are:

  • SubSig 0: This signature fires when attempts are made to copy a file a using the PHP-Nuke administrator filemanager module.

  • SubSig 1: This signature fires when attempts are made to delete a file a using the PHP-Nuke administrator filemanager module.

• 5203- Hosting Controller File Access and Upload: This signature fires when directory traversal attempts are made using the script 'filemanager.asp'. This is a good indicator of uploading or downloading from a web server is taking place.

• 5204-AspUpload Sample Scripts: This signature fire when certain sample scripts are detected as being used. Sample scripts should be removed from all production servers.

  • SubSig 0: This signature fires if directory traversal attempts to use the sample script "UploadScript11.asp" are detected.

  • SubSig 1: This signature fires if attempts to use the sample script "DirectoryListing.asp" are detected.

• 5205-Apache php.exe File Disclosure: This signature fires when a MS-DOS drive letter is detected as an argument to the script 'php.exe'. This is a good indicator that unauthorized attempts to retrieve files off the Apache web server are occurring.

• 5206-Horde IMP Session Hijack: This signature fires if 'status.php3' is accessed and the message parameter includes a script HTML directive.

• 5207-Entrust GetAccess directory traversal: This signature fires when a directory traversal '../' is sent as a argument value to the script 'aboutbox.gas.bat'.

• 5208-Network Tools shell metacharacters: This signature fires when a shell metacharacter is sent as an argument to the Network_Tool.

• 5209-Agora.cgi Cross Site Scripting: This signature fire when HTML tags are detected as arguments sent to the Agora shopping cart application.

• 5210-FAQManager.cgi directory traversal: This signature fires when a web request to FAQManager.cgi with a hard-coded path to a file outside of the web directory is detected.

• 5211-zml.cgi File Disclosure: This signature fireswhen an argument - file, containing ../ is sent to zml.cgi script.

• 5212-Bugzilla Admin Authorization Bypass: This signature fires when an unauthorized attempt is made to add a user to the administrative group of Bugzilla.

• 5213-Bugzilla Command Exec: This signature fires if an attempt is made to add an unauthorized command to Bugzilla.

• 5214-FAQManager.cgi null bytes: This signature fires if a web request to FAQManager.cgi with a null byte appended to the request is detected.

• 5215-lastlines.cgi cmd exec/traversal: This signature fires when an HTTP request for lastlines.cgi with arguments is detected. The subsignatures with the associated arguments are:

  • SubSig 0: ../

  • SubSig 1: Shell Metacharacters

• 5216-PHP Rocket Directory Traversal: This signature fires when an HTTP request to 'PHProcketadmin.php' or 'index.php' with a value for the parameter page of '../' is detected.

• 5217-Webmin Directory Traversal: This signature fires when an HTTP request to 'edit_action.cgi' with an argument of '../' is detected.

• 5218-Boozt Buffer Overflow: The signature fires when 'Index.cgi' in Boozt package is sent a name containing 1000+ characters.

• 5219-Lotus Domino database DoS: This signature fires when '/./' is detected in the URL.

• 5220-CSVForm Remote Command Exec: This signature fires when the script 'CSVForm.pl' is sent a file argument containing a pipe "|" character.

• 5221-Hosting Controller Directory Traversal: This signature fires when an http request to a hosting controller file with certain arguments for the failpath is detected. False positives are possible if an administrator issues certain web requests. The subsignatures and the associated files are:

  • SubSig 0 statsbrowse.asp

  • SubSig 1 servubrowse.asp

  • SubSig 2 browsedisk.asp

  • SubSig 3 browsewebalizerexe.asp

  • SubSig 4 sqlbrowse.asp

• 5223-Pi3Web Buffer Overflow: This signature fires when a long HTTP request to the CGI program 'hello.exe' is detected.

• 5224-SquirrelMail SquirrelSpell Command Exec: This signature fires when attempts are made to execute commands using the SquirrelSpell feature of SquirrelMail is detected.

• 5227- AHG Search Engine Command Exec: This signature fires when shell metacharacters ';|' are detected as input to the script 'search.cgi'.

• 5229- DCP Portal Root Path Disclosure: This signature fires when a request to access add_user.php is detected.

• 5230- Lotus Domino Authentication Bypass: The alarm fires when a .nsf file is accessed with URL longer than 230 bytes.

• 5231- MRTG Directory Traversal: This signature will fire if directory traversal attempts using MRTG CGI scripts are detected.

• 5232-URL with XSS: This signature will alarm upon detecting a URL with script in it. This is a common way to execute a XSS. This is also known as cross site scripting. Cross site scripting occurs when web applications gather malicious data from a user. This data is gathered in the form of a hyperlink that contains the malicious content within it.

• 5233-PHP fileupload Buffer Overflow: This signature fires when an abnormal and long file name arguments are being sent to an HTTP form.

• 5234-pforum sql-injection: This signature will fire when a sql-injection attempt to 'logincheck.php' is detected.

• 5236-Xoops sql-injection: This signature will fire upon detecting a request to userinfo.php that contains a sql-injection attack in a parameter.

• 5237-HTTP CONNECT Tunnel: The signature fires when the HTTP CONNECT method is detected. Attackers may try to exploit vulnerabilities in HTTP proxies to help hide their locations. Internal users accessing proxies can cause false positives.

• 5238-EZNET Ezboard Buffer Overflow: The alarm fires when access to scripts 'Ezboard.cgi', 'Ezman.cgi', or 'Ezadmin.cgi' is detected. The HTTP header must be greater than 350 characters to make this signature fire.

• 5239-Sambar cgitest.exe Buffer Overflow: This signature fires when an unusually long argument is detected being sent to the CGI program "/cgitest.exe".

• 5240-Marcus Xenakis Shell Command Exec: The alarm fires when shell metacharacters are detected as argument to the script 'directory.php'.

• 5241-Avenger System Command Exec: The alarm fires when a directory traversal or shell metacharacters are input to ans.pl script.

• 5243-CS .cgi Script Cmd Exec: This signature will alarm upon detecting the use of a possible command exec statement in the argument list. The subsignatures and the associated scripts are:

  • SubSig 0: - csSearch.cgi

  • SubSig 1: - csMailto.cgi

  • SubSig 2: - csGuestbook.cgi

  • SubSig 3: - csLiveSupport.cgi

  • SubSig 4: - csNewsPro.cgi

  • SubSig 5: - csChatRBox.cgi

• 5244- PhpSmsSend Command Exec: This signature fires when attempts are made to execute unauthorized commands using the CGI program 'phpsmssend.php' are detected.

• 5245- HTTP 1.1 Chunked Encoding Transfer: This signature fires when HTTP 1.1 chunked encoding transfer activity is detected. False positives are possible. Any detect should be scrutinized closely.

• 5246-IIS ISAPI Filter Buffer Overflow: This signature fires when an unusually long argument sent to the CGI program 'shtml.exe' is detected.

• 5247-IIS ASP SSI Buffer Overflow: This signature fires when a HTTP request for an Active Server Page (ASP) document has an unusually large 'Content-Length' value.

• 5248-IIS HTR ISAPI Buffer Overflow: This signature fires when an unusually long HTTP request for a HTR document with an ASP file as an argument is detected.

• 5249-IDS Evasive Encoding: This signature looks for special characters such as Null , New Line %0a, Carriage Return %0d, Period "." %2e, Forward Slash "/" %2f, and Back Slash "\" %5c in the URL of a HTTP request that have been encoded in hexadecimal vice the actual character. This is a technique used to evade detection of an attack. This signature is fired if any of the before mentioned characters are detected as being encoded as part of the URL:

• 5250-IDS Evasive Double Encoding: This signature looks for special characters such as Null , New Line %0a, Carriage Return %0d, Period "." %2e, Forward Slash "/" %2f, and Back Slash "\" %5c in the URL of a HTTP request that have been encoded in hexadecimal vice the actual character in the URL of a HTTP request that have been "doubly" encoded. This is a technique used to evade detection of an attack. This signature is fired if any of the before mentioned characters are detected as being doubly encoded as part of an URL

• 5251-Allaire JRun // Directory Disclosure: This signature will fire if an unauthorized attempt to display directory listings for the Allaire JRun web server is detected.

• 5252-Allaire JRun Session ID Recon: This signature will fire if the system detects that a remote user tries to access the sample servlet files in Allaire JRun web server in order to get sensitive information.

• 5253-Axis StorPoint CD Authentication Bypass: This signature will fire if the system detects that a remote user tries to use the "dot dot" (..) attack to access the server's administration pages without authentication.

• 5254-Sambar Server CGI Dos Batch File: This signature will fire if the system detects that a remote user tries to run MS-DOS batch files that are in server's cgi-bin directory.

• 5255-Linux Directory traceroute / nslookup Command Exec: This signature fires when an unauthorized attempt to execute commands using the CGI script "nslookup.pl" or "traceroute.pl" is detected.

• 5256-Dot Dot Slash in URI: This signature will when a "dot dot slash" (../) is detected in a URI.

• 5257-PHPNetToolpack traceroute Command Exec: This signature fires when an unauthorized attempt to execute commands using the "nettools.php" CGI script is detected.

• 5258-Script source disclosure with CodeBrws.asp: This signature fires upon detecting a request to the sample script CodeBrws.asp with arguments of '../'. You should never see a '../' request to this script.

• 5259-Snitz Forums SQL injection: This signature will fire upon detecting a HTTP request to members.asp that includes the character ' as a value sent to the parameter M_NAME.

• 5260-Xpede sprc.asp SQL Injection: This signature will alarm upon detecting an HTTP request to sprc.asp with an argument that contains an apostrophe ('). This would be indicative of a SQL insertion attack.

• 5261-BackOffice Server Web Administration Access: This signature fires upon detecting access to Backoffice/Services.asp. This script has been known to be vulnerable to an authentication bypass attack.

• 5262-Large number of Slashes URL: This signature will fire when a large number of slashes ("/") in URL are detected.

• 5263-ecware.exe Access: This signature fires when a HTTP request for 'ecware.exe' is detected.

• 5265-RedHat cachemgr.cgi Access: This signature fires when unauthorized remote access to 'cachemgr.cgi' file is detected. False positives are possible with normal access to the 'cachemgr.cgi' file.

• 5266-iCat Carbo Server File Disclosure: This signature will fire when a http request contains carbo.dll in the url and ../ in the icatcommand parameter is detected.

• 5268-Cisco Catalyst Remote Command Execution: This signature will fire when a http request contains /exec/ in the URL is detected. A vulnerability exists in the webserver configuration interface of Cisco Catalyst 3500 XL will allow a remote attacker to execute arbitrary commands. Legitimate access to the GUI of the Catalyst switch can cause false positives.

• 5269-ColdFusion CFDOCS Directory Access: This signature will fire when unauthorized remote access to '/CFDOCS' directory is detected. Normal access to the '/CFDOCS' can cause false positives.

• 5270-EZ-Mall order.log File Access: This signature fires when an HTTP request for attempt is '/mall_log_files/order.log' is detected.

• 5271-search.cgi Directory Traversal: This signature fires when '../' is found in the 'letter' argument to the CGI script 'search.cgi'.

• 5272-count.cgi GIF File Disclosure: This signature fires when '../' is found in the 'image' argument to the CGI script 'count.cgi'.

• 5273-Bannermatic Sensitive File Access: This signature fires upon detecting an HTTP request to certain Bannermatic files. Bannermatic allows a web master to build his own banner exchange service without having to purchase, install, or operate special software because it functions exclusively online. The subsignatures and associated files are:

  • SubSig 0 - ban.log

  • SubSig 1 - ban.bak

  • SubSig 2 - ban.dat

  • SubSig 3 - banmat.pwd

• 5274-Netpad.cgi Directory Traversal/Cmd Exec: This signature fires upon detecting an attack to the known vulnerable script 'netpad.cgi'. The subsignatures associated with this signature are:

  • SubSig 0 - Command Exec Attempt

  • SubSig 1 - Directory Traversal Attempt.

• 5275-Phorum Remote Cmd Exec: This signature fires upon detecting an attempted remote script execution on certain files that are part of the 'Phorum' package. These files and corresponding subsignatures are:

  • SubSig 0 - admin.php

  • SubSig 1 - plugin.php

• 5276-cart.cgi Command Execution: This signature fires when argument '3fdj939jf' is used with the cart.cgi script, which is the backdoor remote-execution argument.

• 5276:1-cart.cgi vars,env,db Recon: This signature fires when argument 'vars','env', or 'db' is used with the cart.cgi script, which reveals configuration settings of the application. False positives are possible if arguments ending in 'vars' 'env' or 'db' is used with the script 'cart.cgi'.

• 5276:2-cart.cgi Backdoor: This signature fires when argument 'usmbu7777' is used with the cart.cgi script, which is the e-mail backdoor argument.

• 5277- dfire.cgi Command Exec: This signature fires when dfire.cgi is executed with a pipe or semicolon in the 'ipinc' or 'ipone' argument.

• 5278-VP-ASP shoptest.asp access: This signature will fire upon detecting access to a dangerous default script of VP-ASP /demo400/shopdbtest.asp.

• 5279-JJ CGi Cmd Exec: This signature fires when an unauthorized attempt to execute commands using the 'jj' CGI script is detected.

• 5280-IIS idq.dll Directory Traversal: This signature will fire if an unauthorized attempt to view files on web server using idq.dll is detected.

• 5281-Carello add.exe Access: This signature will fire when unauthorized remote access to /carello/add.exe file is detected. Legitimate access to '/carello/add.exe' file can cause this signature to fire.

• 5282-IIS ExAir advsearch.asp Access: This signature will fire if the direct remote access to '/ExAir/search/advsearch.asp' page is detected.

• 5282:1-IIS ExAir search.asp Access: This signature will fire if the direct remote access to '/ExAir/search/search.asp' page is detected.

• 5282:2-IIS ExAir query.asp Access: This signature will fire if the direct remote access to '/ExAir/search/query.asp' page is detected.

• 5283-info2www CGI Directory Traversal: This signature will fire when unauthorized remote access to 'info2www' CGI script is detected.

• 5284- IIS webhits.dll Directory Traversal: This signature will fire if an unauthorized attempt to view files on web server using 'webhits.dll' is detected.

• 5285-PHPEventCalendar Cmd Exec: This signature will fire upon detecting a shell metacharacter in the argument value of 'userfile' inside an HTTP request for 'index.php'.

• 5286-WebScripts WebBBS Cmd Exec: This signature will fire upon detecting a shell metacharacter in the argument value of 'followup' inside an HTTP request for 'webbbs_post.pl'.

• 5287-SiteServer AdSamples SITE.CSC File Access: This signature will fire when unauthorized remote access to '/adsamples/config/site.csc' file is detected. Legitimate access to the 'site.csc' can cause false positives.

• 5288-Verity search97 Directory Traversal: This signature will fire when an unauthorized attempt to access files on the server using search97 CGI script is detected.

• 5289-SQLXML ISAPI Buffer Overflow: This signature will fire if an attempt to overflow the "contenttype" argument in a HTTP request is detected.

• 5290-Apache Tomcat DefaultServlet File Disclosure: This signature fires when an attempt is made to access org.apache.catalina.servlets.DefaultServlet uses an HTTP request.

• 5291-WEB-INF Dot File Disclosure: This signature fires when a HTTP request includes a "." character appended to "WEB-INF". This may indicate an attempt to view the contents of directories and files under the "/WEB-INF" subdirectory on the web server.

• 5292-SalesCart shop.mdb File Access: This signature will fire if an HTTP request for 'shop.mdb' is detected. This may indicate the possible disclosure of sensitive customer information.

• 5293-robots.txt File Access: This signature fires when the file "robots.txt" is accessed on a web server.

• 5294-BearShare File Disclosure: This signature fires on "\..\" appearing in an HTTP request on port 6346 after deobfuscation has been applied. Remember, deobfuscation is the process of clarifying or unobscuring the traffic.

• 5295-finger CGI Recon: Fires on an HTTP request for a URI containing "/finger".

• 5296-Netscape Server PageServices Directory Access: Fires on an HTTP request for a URI containing "?PageServices".

• 5297-order_log.dat File Access: This signature fires when the file "/orders/order_log.dat" is accessed on a web server.

• 5298-shopper.conf File Access: This signature fires when the file "/PDG_Cart/shopper.conf" is accessed on a web server.

• 5299-quikstore.cfg File Access: This signature fires when the file "/quikstore.cfg" is accessed on a web server.

• 5300-reg_echo.cgi Recon: Fires on any HTTP access to 'reg_echo.cgi'. False positives are possible from legitimate use of 'reg_echo.cgi'.

• 5301-/consolehelp/ CGI File Access: Fires on any HTTP access to '/consolehelp/'.

• 5302-/file/ WebLogic File Access: Fires on any HTTP containing '/file/' in the URL. False positives are likely if any URL contains the '/file/' string.

• 5303-pfdispaly.cgi Command Execution: Fires on an HTTP access containing 'pfdisplay.cgi' followed by an argument containing a pipe ('|') or a semicolon (';'). Legitimate use of 'pdfdisplay.cgi' can cause false positives.

• 5304-files.pl File Access: Fires on any HTTP access to 'files.pl'. Verify the files in question.

• 5305-.bash_history File Access: This signature will fire when unauthorized remote access to '.bash_history' file is detected. False positives can be caused from legitimate use of the file.

• 5305:1-.sh_history File Access: This signature will fire when unauthorized remote access to '.sh_history' file is detected. False positives can be caused from legitimate use of the file.

• 5305:2-.history File Access: This signature will fire when unauthorized remote access to '.history' file is detected. False positives can be caused from legitimate use of the file.

• 5305:3-.zhistory File Access: This signature will fire when unauthorized remote access to '.zhistory' file is detected. False positives can be caused from legitimate use of the file.

• 5306-SoftCart storemgr.pw File Access: This signature will fire when unauthorized remote access to '/pw/storemgr.pw' file is detected. False positives can be caused from legitimate use of this file.

• 5308-rpc-nlog.pl Command Execution: This signature fires when a URL containing the string "/*.jsp/" or "/*.jhtml/" is accessed on a web server. False positives can be caused from legitimate use of the 'rpc-nlog.pl' script.

• 5309- handler CGI Command Execution: This signature fires when "/handler" is accessed on a web server with a pipe or semicolon as an argument. False positives can be caused from legitimate use of the 'handler' script.

• 5310-INDEX / directory access: This signature fires when an INDEX request is made to a web server. False positives can be caused from legitimate INDEX requests.

• 5311-8.3 file name access: This signature fires when an 8.3-style abbreusested file name (such as "MICROS~1") is accessed on a web server. False positives can be caused from legitimate access to files containing tildes.

• 5312-*.jsp/*.jhtml Java Execution: This signature fires when a URL containing the string "/*.jsp/" or "/*.jhtml/" is accessed on a web server.

• 5313-order.log File Access: This signature fires when the file "/admin_files/order.log" is accessed on a web server.

• 5314- windmail.exe Command Execution: This signature fires when "/windmail.exe" is accessed on a web server.

• 5315-changedisplay.pl WWWthreads Privilege Elevation: This signature fires when "/changedisplay.pl" is accessed on a web server with an argument of U_STATUS or U_SECURITY.

• 5316-BadBlue Admin Command Exec: This signature fires when a request is made to the BadBlue web administration interface to map a directory on the web server's filesystem to a virtual directory on the web server. False positives can be caused from legitimate mapping of virtual directories.

• 5317-Tivoli Endpoint Buffer Overflow: This signature detects an excessive long request to the Tivoli Management Framework Endpoint web server on TCP port 9495 is detected.

• 5318-Tivoli ManagedNode Buffer Overflow: This signature fire when an excessive long request to the Tivoli Management Framework ManagedNode web server on TCP port 94 is detected. This may indicate a buffer overflow attack.

• 5319-SoftCart orders Directory Access: This signature will fire when unauthorized remote access to '/orders' directory is detected. False positives can be caused by legitimate access to the '/orders' directory.

• 5320-ColdFusion administrator Directory Access: This signature will fire when unauthorized remote access to '/cfide/administrator' directory is detected. False positives can be caused by legitimate access to the '/cfide/administrator' directory.

• 5321-Guest Book CGI access: This will trigger on any HTTP access to '/cgi-bin/guestbook'. False positives will be caused by any type of access to the '/cgi-bin/guestbook'.

• 5322-Long HTTP Request: This signature fires when a long HTTP request using the GET, HEAD, or POST method is detected. This signature must be tuned to reduce the number of false positives generated.

• 5323-Cisco Router http exec command: This alarm will fire upon detecting a /exec/ in the URI portion of an http request. An /exec/ usually indicates a privledged command in being executed uses the web interface on a Cisco router.

• 5323-midicart.mdb File Access: This alarm will fire upon detecting a ?/ in a URI portion of an http request.

• 5324-Cisco IOS Query (?/):This alarm will fire upon detecting a ?/ in a URI portion of an http request.

• 5325-Contivity cgiproc DoS: This alarm will fire upon detecting a shell meta-character as an argument to an http request to /cgi/cgiproc.

• 5326-Root.exe access: The signature alarms upon detecting a http request for root.exe.

• 5327-Tilde in URI: This signature fires upon detecing a tilde (~) in an http request.

• 5328- Cisco IP phone DoS: This signature will fire upon detecting a specially crafted HTTP request that will reboot a Cisco IP phone.

• 5329-Apache/mod_ssl Worm Probe: This signature fires when a probe by the Apache/mod_ssl worm is detected.

• 5330-Apache/mod_ssl Worm Buffer Overflow: This signature fires when a buffer overflow attack by the Apache/mod_ssl worm to the HTTPS (TCP port 443) is detected.

  Note

  The Apache/mod_ssl worm attempts to execute a buffer overflow attack to vulnerable web servers using the HTTPS port TCP443. If the worm can infect the host, it will propogate and begin to scan for new hosts to attack. A backdoor on port UDP2002 is also installed in order to perform distributed DoS attacks.

• 5331-Image Javascript insertion: This signature fires upon detecting an HTML IMG tag that tries to inject javascript inside of it.

• 5332-Wordtrans-web Command Exec: This signature fires when attempt to execute unauthorized commands using the Wordtrans-web script 'webtrans.php' is detected.

• 5333-FUDForum File Disclosure: This signature fires when an attempt to view files using FUDForum is detected. SubSig 0 looks for access to the file 'tmp_view.php'. SubSig 1 looks for access to the file 'admbrowse.php'.

• 5334- DB4Web File Disclosure: This signature fires when an unauthorized attempt to view files using the DB4WEB webserver script 'db4web_c' or 'db4web_c.exe' is detected.

• 5335-DB4WEB Proxy Scan: This signature fires when an attempt to connect to a remote host using the DB4WEB web server as a proxy to scan for open TCP ports is detected. This is a good indicator of a reconnaissance attack.

• 5336- Abyss Web Server File Disclosure: This signature fires when a HTTP request ends in a '+' character. This may indicate an attempt the view the source of the requested file.

• 5337-Dot Dot Slash in HTTP Arguments: This signature fires upon detecting a directory traversal attempt (../) in the argument field of an HTTP request.

• 5338-Front Page Admin password retrival: This signature fires upon detecting a access attempt to administrators.pwd uses HTTP traffic.

• 5339-SunONE Directory Traversal: This signature fires upon detecting a directory traversal attempt (../) sent to ports 6015-6018 TCP.

• 5340-Killer Protection Credential File Access: This signature fires upon detecting an HTTP request that contains 'vars.inc'.

• 5341-HP Procurve 4000M Switch DoS: This signature fires when a HTTP request for the URL '/sw2/cgi/device_reset' is detected. This may indicate a denial of service attack against a HP Procurve switch.

• 5342-Invision Board phpinfo.php Recon: This signature fire when a HTTP request for the URL 'phpinfo.php' is detected. This may indicate an attempted reconnaissance probe.

• 5343-Apache Host Header Cross Site Scripting: This signature fires when an HTTP Host: header is received containing a percent or less-than character. This signature is disabled by default. This signature is known to impact performance.

• 5344-IIS MDAC RDS Buffer Overflow: This signature fires when a buffer overflow attempt using the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) is detected.

• 5345-HTTPBench Information Disclosure: This signature fires when the ezhttpbench.php is requested with an AnalyseSite parameter starting with a slash ('/') character.

• 5346-BadBlue Information Disclosure: This signature fires on an HTTP access to soinfo.php.

• 5347-Xoops WebChat SQL Injection: This signature fires when an HTTP request is made for the script 'index.php' with the 'roomid' argument containing a single-quote or semicolon character.

• 5348-Cobalt RaQ Server overflow.cgi Cmd Exec: This signature fires upon detecting to a HTTP request on port 81 or 444 to overflow.cgi with parameter name of 'e-mail'. False positives can be caused from legitimate activity.

• 5349-Polycom ViewStation Admin Password: This signature fires when the file "a_security.htm" is accessed uses HTML. This may indicate an attempt the retrieve sensitive information.

• 5350-PHPnuke e-mail attachment access: This signature fires upon detecting direct access to PHPnuke e-mail attachments from a web browser.

• 5351-MS IE Help Overflow: This signature fires when a buffer overflow attempt is detected in Active X instructions coming from a web server.

• 5352-H-Sphere Webshell Buffer Overflow: This signature fires when an HTTP request for '/cgi-bin/webshell' is detected with an excessively long multi-part boundary header.

• 5353-H-Sphere Webshell 'mode' URI exec: This signature fires when the CGI executable '/cgi-bin/webshell' is accessed with shell escape characters ( | ; $ ` ) in the 'mode' parameter.

• 5354-H-Sphere Webshell zipfile' URI exec: This signature fires when the CGI executable '/cgi-bin/webshell' is accessed with shell escape characters ( | ; $ ` ) in the 'zipfile' parameter.

• 5355-DotBr exec.php3 exec: This signature is fired by a URI which accesses the script '/admin/exec.php3' with a parameter of 'cmd='.

• 5356-DotBr system.php3 exec: This signature is fired by a URI which accesses the script '/admin/system.php3' with a parameter of 'cmd='.

• 5357-IMP SQL Injection: This signature will fire upon detecting an sql-injection attempt to mailbox.php.

• 5358-Psunami.CGI Remote Command Execution: This signature will fire when a http request contains psunami.cgi in the url and '|' character in the 'topic' parameter is detected.

• 5359-Office Scan CGI Scripts Access: This signature will fire when a http request contains /officescan/cgi/ in the url is detected. False positives can be caused by normal access to '/officescan/cgi/'.

• 5360-Frontpage htimage.exe Buffer Overflow: This signature will fire when a http request contains htimage.exe in the url and more than 700 characters in the argument field is detected.

• 5362-FrontPage dvwssr.dll Buffer Overflow: This signature will fire when a http request contains dvwssr.dll in the url and more than 2000 characters in the argument field is detected.

• 5363-Frontpage imagemap.exe Buffer Overflow: This signature will fire when a http request contains imagemap.exe in the url and more than 700 characters in the argument field is detected.

• 5364-IIS WebDAV Overflow: This signature fires when a long HTTP request (65000+ chars) is detected with a HTTP header option of 'Translate:'. This indicates the use of an attack to exploit a weakness in the WebDAV component of the IIS web server.

• 5365-Long WebDAV Request: This signature fires when a long WebDAV request(65000+ chars) is detected. This may indicate an attempted buffer overflow attack. For performance reasons, Cisco IDS 3.x only implements checks for the WebDAV methods SEARCH (SubSig 0) and LOCK (SubSig 1). Public exploits are available which utilize these methods.

• 5366-Shell Code in HTTP URL / Args: This signature fires when a non-printable ASCII character (128-255) is detected in either the URL or arguments of the HTTP request. The URL and arguments of a HTTP request should not contain any non-printable characters, which may indicate the precense of shell code used in buffer overflow attacks. This signature is disabled in version 3.x of the sensor software. The subsignatures break this into two alarms:

  • subSig 0: URL

  • SubSig 1: Arguments of theHTTP request.

• 5367-Apache CR / LF DoS: This is signature fires when a long sequence of consecutive carriage return / linefeed characters (\x0D\x0A) to web server ports is detected. This may indicate a denial of service of attack.

• 5368-Cisco ACS Windows CSAdmin Overflow: This signature fires when an long username is sent to the 'login.exe' CGI program on TCP port 2002. This may indicate a buffer overflow attack.

• 5369-Win32 Apache Batch File CmdExec: This signature fires upon detecting a metacharacter used as an agrument to a .bat file request. This indicates someone is trying to execute a command uses a request to the .bat file.

• 5370-HTDig File Disclosure: This signature fires upon detecting access to an htdig script with a back tick (`) in the argument field.

• 5371-bdir.htr Access: This signature fires upon detecting access to the file bdir.htr. False positives can be caused by legitimate use of an IIS versions 3.0 server.

• 5372-ASP %20 source disclosure: This signature fires upon detecting .asp%20 sent to an argument named CiWebHitsFile.

• 5373-IIS 5 Translate: f Source Disclosure: This signature fires upon detecting a field of Translate: F in the HTTP header request.

• 5374-IIS Executable File Command Exec: This signature fires upon detecting a crafted web request sent to a .bat file.

• 5375-Apache mod_dav Overflow: This signature fires upon detecting an XML document within an HTTP request that contains a WebDav method with a large argument.

  Note

  This signature is only available in Cisco IDS versions 4.0 and newer.

• 5376-iisPROTECT Admin SQL Injection: This signature fires when an attempt to inject arbitrary SQL statements into the arguments of an HTTP request to iisPROTECT administration interface is detected. This may be an unauthorized attempt to view or manipulate data or execute commands on the database server.

• 5377-xp_cmdshell in HTTP args: This signature fires when an attempt to use the MSSQL 'xp_cmdshell' stored procedure is detected in the arguments of a HTTP request. This may represent a SQL insertion attack attempting to execute unauthorized commands on a MSSQL server.

• 5378-Vignette TCL Injection Command Exec: This signature fires when attempt to inject TCL scripting code into a HTTP request to a Vignette template is detected.

• 5379-Windows Media Services Logging ISAPI Overflow: This signature fires when a long HTTP request is sent to the Windows Media Services DLL. This may indicate a buffer overflow attack.

• 5380-phpBB SQL injection: This signature is fired when an HTTP request is made for the CGI script 'viewtopic.php' with argument 'topic_id' containing either the word 'union' or a semicolon.

• 5381-VPASP SQL injection: This signature is fired when a request is made for the CGI script 'shopexd.asp' with the argument 'id' containing a semicolon.

• 5382- Xpressions SQL Admin Bypass: This signature fires when an attempt to bypass authentication controls to gain administrative access to a Xpressions Interactive application by injecting special-crafted SQL commands into a HTTP request.

• 5383-Cyberstrong eShop SQL Injection: This signature fires when an attempt to insert unauthorized SQL queries into a HTTP request to a Cyberstrong eShop script.