Term
alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : “BACKDOOR ATTEMPT-Backorifice”) |
|
Definition
Alert if any attempt is made to access port 31337 on the home network from outside the home network. Record the message "BACKDOOR ATTEMPT-Backorifice". |
|
|
Term
alert tcp !$HOME_NET any -> $HOME_NET 23 (msg: “Telnet attempt..admin access” content: “admin”) |
|
Definition
Alert on any tcp attempt from the outside the home network to access port 23 on the home network, where the packet contains the word “admin”. Record the message "Telnet attempt..admin access". |
|
|
Term
alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";) |
|
Definition
Alert when string "|5c 00|P|00|I|00|P|00|E|00 5c|" arrives on port 139, any address, from any address/port combination. |
|
|
Term
alert tcp any any -> any 80 (content:!"GET"; |
|
Definition
Alert when any traffic comes in on port 80 without the word GET in the payload. |
|
|
Term
alert tcp any any -> any 21 (content:"FTP ROOT"; content:"USER root"; nocase;) |
|
Definition
Alert if any traffic into port 21 matches "ftp root" or "user root"; case insensitive. |
|
|
Term
alert tcp any any -> any any (msg:"Possible exploit"; content:"|90|";) |
|
Definition
Alert with the message "Possible exploit" if any traffic includes the hex value '90'. |
|
|
Term
log tcp any any -> 92.168.1.0/24 :5000 |
|
Definition
Log packet if it arrives at any address on the subnet, to any port less than or equal to 5000. |
|
|
Term
alert tcp any any -> any 21 (content:"site exec"; content:"%"; msg:"site exec buffer overflow attempt";) |
|
Definition
Alert if any traffic to port 21 at any address contains the string "Site exec" *and* "%", record with message "site exec buffer overflow attempt" |
|
|