#                      _    _  _ ___ ___  ___
#      __ __ _ __ _ __| |_ | \| |_ _|   \/ __|
#    / _` | '_/ _` / _| ' \| .` || || |) \__ \
#    \__,_|_| \__,_\__|_||_|_|\_|___|___/|___/
#.........arachNIDS event signatures export..........
#  Advanced Reference Archive of Current Heuristics
#     for Network Intrusion Detection Systems
#
# Please see http://whitehats.com/ids/ for signature
# details and credits.          vision@whitehats.com
#
######### Export date: Wed Mar  1 09:00:00 PST 2000

### Command line options I use to launch snort
### snort -b -c $DIR/snort.conf -D -i elxl0 -l $DIR/logs -s

##### Change these next lines to match your network!
var INTERNAL 172.16.1.0/24
var EXTERNAL !172.16.1.0/24
var PORTS    3
var SECONDS  5

##### Preprocessors
preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $INTERNAL $PORTS $SECONDS /var/log/snort/portscan

##### What do we log 
# Logging tcp
log tcp any any <> $INTERNAL 21 (session: printable;)
log tcp any any <> $INTERNAL 23 (session: printable;)
log tcp any any <> $INTERNAL 25 (session: printable;)
log tcp any any <> $INTERNAL 53 (session: printable;)
log tcp any any <> $INTERNAL 69 (session: printable;)
log tcp any any <> $INTERNAL 79 (session: printable;)
log tcp any any <> $INTERNAL 80 (session: printable;)
log tcp any any <> $INTERNAL 110 (session: printable;)
log tcp any any <> $INTERNAL 111 (session: printable;)
log tcp any any <> $INTERNAL 113 (session: printable;)
log tcp any any <> $INTERNAL 143 (session: printable;)
log tcp any any <> $INTERNAL 512:515 (session: printable;)
log tcp any any <> $INTERNAL 600:620 (session: printable;)
log tcp any any <> $INTERNAL 1111 (session: printable;)
log tcp any any <> $INTERNAL 6660:6669 (session: printable;)
log tcp any any <> $INTERNAL any 

# Logging udp
log udp any any <> $INTERNAL 111 (session: printable;)
log udp any any <> $INTERNAL 161 (session: printable;)
log udp any any <> $INTERNAL 520 (session: printable;)
log udp any any <> $INTERNAL 600:620 (session: printable;)
log udp any any <> $INTERNAL 2049 (session: printable;)
log udp any any <> $INTERNAL any 

# Logging icmp
log icmp any any <> $INTERNAL any 

##### Added alerts
alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"IDS/DNS-version-query"; content:"version";)
alert tcp $EXTERNAL any -> $INTERNAL 111 (msg:"IDS/RPC-rpcinfo-query"; content:"|00 01 86 A0|";)

##### Alerts, as defined at whitehats.com
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS1/ADMw0rm-ftp-retrieval"; content: "USER w0rm|0D0A|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 1966 (msg: "IDS222/Backdoor-FakeFTP"; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 1269 (msg: "IDS223/Backdoor-Matrix 1.x-2.0"; flags: S;)
alert ICMP 255.255.255.0/24 any -> $INTERNAL any (msg: "IDS202/backdoor-Q-icmp"; itype: 0; dsize: ">1";)
alert TCP 255.255.255.0/24 any -> $INTERNAL any (msg: "IDS203/backdoor-Q-tcp"; flags: A; dsize: ">1";)
alert UDP 255.255.255.0/24 any -> $INTERNAL any (msg: "IDS201/backdoor-Q-udp"; dsize: ">1";)
alert TCP $INTERNAL 7161 -> $EXTERNAL any (msg: "IDS129/cisco-catalyst-remote-access"; flags: SA;)
alert TCP $EXTERNAL 80 -> $INTERNAL any (msg: "IDS215/client-netscape47-overflow-retrieved"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;)
alert TCP $INTERNAL any -> $EXTERNAL 80 (msg: "IDS214/client-netscape47-overflow-unsucessful"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS149/cybercop-os-probe-pa12"; content: "AAAAAAAAAAAAAAAA"; flags: AP12; depth: "16";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS146/cybercop-os-probe-sf12"; flags: SF12; dsize: "0";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS145/cybercop-os-probe-sfp"; content: "AAAAAAAAAAAAAAAA"; flags: SFP; ack: 0; depth: "16";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS150/cybercop-os-probe-sfu12"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: "16";)
alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS27/FIN Scan"; flags: F;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS130/finger-.@host"; content: "|2E 0A 20 20 20 20|"; flags: AP; dsize: "6"; depth: "6";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS131/finger-0@host"; content: "|30 0A 20 20 20 20|"; flags: AP; dsize: "6"; depth: "6";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS132/finger-cybercop-query"; content: "|0A 20 20 20 20 20|"; flags: AP; depth: "1";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS11/finger-redirection"; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; flags: AP; dsize: "11"; depth: "11";)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS134/FTP tar parameters"; content: "RETR --use-compress-program"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS213/ftp-passwd-retrieval"; content: "passwd"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS144/Full XMAS Scan"; flags: SFAPUR; ack: 0;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS135/ICMP Redirect Host"; itype: 5; icode: 1;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS199/ICMP Redirect Net"; itype: 5; icode: 0;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS216/ICMP subnet mask request"; itype: 17;)
alert TCP $EXTERNAL any -> $INTERNAL 143 (msg: "IDS147/IMAP-x86-linux-buffer-overflow"; content: "|e8 c0ff ffff|/bin/sh"; flags: AP; dsize: ">100";)
alert TCP $EXTERNAL any -> $INTERNAL 1417 (msg: "IDS229/insecure-timbuktu-password"; content: "|05 00 3E|"; flags: AP; depth: "16";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS236/ipeye-syn-scan"; flags: S; seq: 1958810375;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS173/IRDP Router Advertisement"; itype: 9;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS174/IRDP Router Selection"; itype: 10;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS246/large-icmp"; dsize: >800;)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS247/large-udp"; dsize: >800;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS2/mworm-ftp-retrieval"; content: "USER mw|0D0A|"; flags: AP;)
alert UDP $EXTERNAL any -> $INTERNAL 137 (msg: "IDS177/netbios-name-query"; content: "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|";)
alert TCP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS26/nfs-showmount"; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; flags: AP; offset: "16"; depth: "4";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS5/NMAP Fingerprint attempt"; flags: SFPU;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS28/NMAP TCP ping"; flags: A; ack: 0;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS181/nops-x86"; content: "|90 90 90 90 90 90 90 90 90 90 90 90|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS204/NT NULL session"; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS4/NULL Scan"; flags: 0; seq: 0; ack: 0;)
alert TCP $INTERNAL any -> $EXTERNAL 6000:6023 (msg: "IDS126/Outgoing Xterm"; flags: AP;)
alert TCP $INTERNAL 5632 -> $EXTERNAL any (msg: "IDS240/pcanywhere-failed"; content: "Invalid login"; flags: AP; depth: "16";)
alert UDP $EXTERNAL any -> $INTERNAL 5632 (msg: "IDS239/pcanywhere-start"; content: "ST"; depth: "2";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS151/Ping BeOS 4.x"; content: "|00000000000000000000000008090a0b|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS152/Ping BSDtype"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS153/Ping Cisco IOS 9.x"; content: "|abcdabcdabcdabcdabcdabcdabcdabcd|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS178/Ping CyberCop55"; content: "|00 00 20 20 20 20 20 20 20 20 20|"; itype: 8; icmp_seq: 18467; offset: "7"; depth: "18";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS154/Ping CyberKit 2.2 Windows"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS155/Ping Delphi-Piette Windows"; content: "|50696e67696e672066726f6d2044656c|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS156/Ping Flowpoint 2200 DSL Router"; content: "|0102030405060708090a0b0c0d0e0f10|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS157/Ping IPNetMonitor Macintosh"; content: "|a9205375737461696e61626c6520536f|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS158/Ping ISS Pinger"; content: "ISSPNGRQ"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS159/Ping Microsoft Windows"; content: "|6162636465666768696a6b6c6d6e6f70|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS161/Ping NetworkToolbox3 Windows"; content: "|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS162/Ping Nmap 2.36BETA"; itype: 8; dsize: "0";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS163/Ping OpenBSD-Linux"; content: "|101112131415161718191a1b1c1d1e1f|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS164/Ping Ping-O-Meter Windows"; content: "|4f4d657465724f6265736541726d6164|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS165/Ping Pinger Windows"; content: "|44617461000000000000000000000000|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS166/Ping Seer Windows"; content: "|88042020202020202020202020202020|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS167/Ping TJPingPro 1.1 Build 2 Windows"; content: "|544a50696e6750726f206279204a696d|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS168/Ping Whatsup Gold Windows"; content: "|57686174735570202d2041204e657477|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS169/Ping Win2000"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: "32";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS171/Ping zeros"; content: "|00000000000000000000000000000000|"; itype: 8; depth: "32";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS18/portmap-request-admind"; content: "|01 86 F7 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS19/portmap-request-amountd"; content: "|01 87 03 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS16/portmap-request-bootparam"; content: "|01 86 BA 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS17/portmap-request-cmsd"; content: "|01 86 E4 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS13/portmap-request-mountd"; content: "|01 86 A5 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS21/portmap-request-nisd"; content: "|01 87 cc 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS14/portmap-request-nlockmgr"; content: "|01 86 B5 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS22/portmap-request-pcnfsd"; content: "|02 49 f1 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS23/portmap-request-rexd"; content: "|01 86 B1 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS10/portmap-request-rstatd"; content: "|01 86 A1 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS133/portmap-request-rusers"; content: "|01 86 A2 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS20/portmap-request-sadmind"; content: "|01 87 88 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS25/portmap-request-selection_svc"; content: "|01 86 AF 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS15/portmap-request-status"; content: "|01 86 B8 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS24/portmap-request-ttdbserv"; content: "|01 86 F3 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS14/portmap-request-yppasswd"; content: "|01 86 A9 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS12/portmap-request-ypserv"; content: "|01 86 A4 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS125/portmap-request-ypupdated"; content: "|01 86 BC 00 00|"; offset: "40"; depth: "8";)
alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS188/probe-back-orifice";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/Queso Fingerprint attempt"; flags: S12;)
alert TCP $EXTERNAL any -> $INTERNAL 634:1400 (msg: "IDS217/rpc-amd-overflow"; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; flags: AP; depth: "32";)
alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS9/rpc-rstatd-query"; content: "|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset: "5";)
alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS136/rpc-rusers-query"; content: "|00 00 00 00 00 00 00 02 00 01 86 A2|";)
alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS241/rpc.ttdbserv-solaris-kill"; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; flags: AP; offset: "16"; depth: "32";)
alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS242/rpc.ttdbserv-solaris-overflow"; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; flags: AP; dsize: ">999";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS245/smtp-cmail-buffer-overflow"; content: "VRFY AAAAAAAAAAA"; flags: AP; dsize: ">500";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS120/SMTP-exploit41"; content: "rcpt to|3a 20 7c 20 73 65 64 20 27 31 2C 2F 5E 24 2F 64 27 7c|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS119/SMTP-exploit555"; content: "mail from|3a20227c|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS172/SMTP-exploit558"; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS121/SMTP-exploit564"; content: "rcpt to|3a| decode"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS122/SMTP-exploit565"; content: "MAIL FROM|3a207c|/usr/ucb/tail"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS123/SMTP-exploit8610"; content: "Croot|0d0a|Mprog, P=/bin/"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS124/SMTP-exploit8610ha"; content: "Croot|09090909090909|Mprog, P=/bin"; flags: AP;)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS139/SMTP-exploit869a"; content: "|0a|C|3a|daemon|0a|R"; flags: AP;)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS140/SMTP-exploit869b"; content: "|0a|D/"; flags: AP;)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS141/SMTP-exploit869c"; content: "|0a|Croot|0d0a|Mprog"; flags: AP;)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS142/SMTP-exploit869d"; content: "|0a|Croot|0a|Mprog"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS32/SMTP-expn-decode"; content: "expn decode"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS31/SMTP-expn-root"; content: "expn root"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS143/SMTP-MajordomoIFS"; content: "${IFS}"; flags: AP;)
alert TCP $INTERNAL 25 -> $EXTERNAL any (msg: "IDS249/smtp-relay-denied"; content: "5.7.1"; flags: AP; depth: "70";)
alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS175/socks-probe"; flags: S; ack: 0;)
alert TCP $INTERNAL 1080 -> $EXTERNAL any (msg: "IDS176/socks4-active"; content: "|04 5A|"; flags: AP; depth: "2";)
alert TCP $EXTERNAL 20 -> $INTERNAL 0:1023 (msg: "IDS6/SourcePortTraffic-20-tcp"; flags: S;)
alert TCP $EXTERNAL 53 -> $INTERNAL 0:1023 (msg: "IDS7/SourcePortTraffic-53-tcp"; flags: S;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS116/SourceRoute-ICMP-lssr"; ipopts: lsrr ;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS117/SourceRoute-ICMP-lssre"; ipopts: lsrre ;)
alert TCP $EXTERNAL any -> $INTERNAL 16660 (msg: "IDS179/stacheldraht client"; flags: S;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS190/stacheldraht client-check"; content: "skillz"; itype: 0; icmp_id: 666;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS194/stacheldraht client-check-gag"; content: "gesundheit!"; itype: 0; icmp_id: 39938;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS192/stacheldraht client-spoofworks"; content: "spoofworks"; itype: 0; icmp_id: 1000;)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS191/stacheldraht server-response"; content: "ficken"; itype: 0; icmp_id: 667;)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS195/stacheldraht server-response-gag"; content: "sicken"; itype: 0; icmp_id: 669;)
alert ICMP 3.3.3.3/32 any -> any any (msg: "IDS193/stacheldraht server-spoof"; itype: 8; icmp_id: 666;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;)
alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS8/telnet-daemon-active"; content: "|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|"; flags: AP;)
alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS127/telnet-login-incorrect"; content: "Login incorrect"; flags: AP; depth: "16";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS184/tfn-client-command-be"; itype: 0; icmp_id: 456; icmp_seq: 0;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS183/tfn-client-command-le"; itype: 0; icmp_id: 51201; icmp_seq: 0;)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS182/tfn-server-response"; content: "shell bound to port"; itype: 0; icmp_id: 123; icmp_seq: 0;)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS137/TFTP parent directory"; content: "..";)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS138/TFTP root directory"; content: "|00 01|/";)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS148/TFTP write"; content: "|00 02|"; depth: "2";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute ICMP"; ttl: 1; itype: 8;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS238/Traceroute IPOPTS"; ipopts: rr ; itype: 0;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS3/Traceroute TCP"; ttl: 1;)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS115/Traceroute UDP"; ttl: 1;)
alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS196/trin00-attacker-to-master"; content: "betaalmostdone"; flags: AP;)
alert UDP $EXTERNAL any -> $INTERNAL 31335 (msg: "IDS185/trin00-daemon-to-master"; content: "*HELLO*";)
alert UDP any any -> any 31335 (msg: "IDS187/trin00-daemon-to-master-pong"; content: "PONG";)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS197/trin00-master-to-daemon"; content: "l44adsl";)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS186/trin00-master-to-daemon-png"; content: "png l44";)
alert TCP $INTERNAL 777 -> $EXTERNAL any (msg: "IDS114/trojan-active-aimspy"; flags: SA;)
alert TCP $INTERNAL 10666 -> $EXTERNAL any (msg: "IDS113/trojan-active-ambush"; flags: SA;)
alert TCP $INTERNAL 666 -> $EXTERNAL any (msg: "IDS112/trojan-active-attackftp"; flags: SA;)
alert UDP $INTERNAL 31337 -> $EXTERNAL any (msg: "IDS189/trojan-active-back-orifice";)
alert TCP $INTERNAL 20331 -> $EXTERNAL any (msg: "IDS111/trojan-active-bla"; flags: SA;)
alert TCP $INTERNAL 5400 -> $EXTERNAL any (msg: "IDS110/trojan-active-bladerunner"; flags: SA;)
alert TCP $INTERNAL 1042 -> $EXTERNAL any (msg: "IDS109/trojan-active-blah11"; flags: SA;)
alert TCP $INTERNAL 20203 -> $EXTERNAL any (msg: "IDS108/trojan-active-chupacabra"; flags: SA;)
alert TCP $INTERNAL 10607 -> $EXTERNAL any (msg: "IDS107/trojan-active-coma"; flags: SA;)
alert TCP $INTERNAL 6670 -> $EXTERNAL any (msg: "IDS106/trojan-active-deepthroat"; flags: SA;)
alert TCP $INTERNAL 6883 -> $EXTERNAL any (msg: "IDS105/trojan-active-deltasource"; flags: SA;)
alert TCP $INTERNAL 65000 -> $EXTERNAL any (msg: "IDS104/trojan-active-devil103"; flags: SA;)
alert TCP $INTERNAL 12701 -> $EXTERNAL any (msg: "IDS103/trojan-active-eclipse2000"; flags: SA;)
alert TCP $INTERNAL 4567 -> $EXTERNAL any (msg: "IDS102/trojan-active-filenail"; flags: SA;)
alert TCP $INTERNAL 50766 -> $EXTERNAL any (msg: "IDS101/trojan-active-fore-schwindler"; flags: SA;)
alert TCP $INTERNAL 1492 -> $EXTERNAL any (msg: "IDS100/trojan-active-ftp99cmp"; flags: SA;)
alert TCP $INTERNAL 6969 -> $EXTERNAL any (msg: "IDS99/trojan-active-gatecrasher"; flags: SA;)
alert TCP $INTERNAL 21554 -> $EXTERNAL any (msg: "IDS98/trojan-active-girlfriend"; flags: SA;)
alert TCP $INTERNAL 12076 -> $EXTERNAL any (msg: "IDS97/trojan-active-gjamer"; flags: SA;)
alert TCP $INTERNAL 12223 -> $EXTERNAL any (msg: "IDS96/trojan-active-hack99keylogger"; flags: SA;)
alert TCP $INTERNAL 31787 -> $EXTERNAL any (msg: "IDS95/trojan-active-hackatak"; flags: SA;)
alert TCP $INTERNAL 456 -> $EXTERNAL any (msg: "IDS94/trojan-active-hackersparadise"; flags: SA;)
alert TCP $INTERNAL 2283 -> $EXTERNAL any (msg: "IDS93/trojan-active-hvlrat5"; flags: SA;)
alert TCP $INTERNAL 4950 -> $EXTERNAL any (msg: "IDS92/trojan-active-icq"; flags: SA;)
alert TCP $INTERNAL 5521 -> $EXTERNAL any (msg: "IDS91/trojan-active-illusionmailer"; flags: SA;)
alert TCP $INTERNAL 9400 -> $EXTERNAL any (msg: "IDS90/trojan-active-incommand"; flags: SA;)
alert TCP $INTERNAL 6939 -> $EXTERNAL any (msg: "IDS89/trojan-active-indoctrination"; flags: SA;)
alert TCP $INTERNAL 9889 -> $EXTERNAL any (msg: "IDS88/trojan-active-inikiller"; flags: SA;)
alert TCP $INTERNAL 2140 -> $EXTERNAL any (msg: "IDS87/trojan-active-invasor"; flags: SA;)
alert TCP $INTERNAL 30999 -> $EXTERNAL any (msg: "IDS86/trojan-active-kuang"; flags: SA;)
alert TCP $INTERNAL 17300 -> $EXTERNAL any (msg: "IDS85/trojan-active-kuang2"; flags: SA;)
alert TCP $INTERNAL 31 -> $EXTERNAL any (msg: "IDS84/trojan-active-masterparadise"; flags: SA;)
alert TCP $INTERNAL 1269 -> $EXTERNAL any (msg: "IDS83/trojan-active-matrix"; flags: SA;)
alert TCP $INTERNAL 20000 -> $EXTERNAL any (msg: "IDS82/trojan-active-millenium"; flags: SA;)
alert TCP $INTERNAL 12346 -> $EXTERNAL any (msg: "IDS81/trojan-active-netbus10"; flags: SA;)
alert TCP $INTERNAL 20034 -> $EXTERNAL any (msg: "IDS80/trojan-active-netbuspro"; flags: SA;)
alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg: "IDS79/trojan-active-netmetro"; flags: SA;)
alert TCP $INTERNAL 7306 -> $EXTERNAL any (msg: "IDS78/trojan-active-netmonitor"; flags: SA;)
alert TCP $INTERNAL 57341 -> $EXTERNAL any (msg: "IDS77/trojan-active-netraider"; flags: SA;)
alert TCP $INTERNAL 30100 -> $EXTERNAL any (msg: "IDS76/trojan-active-netsphere"; flags: SA;)
alert TCP $INTERNAL 1033 -> $EXTERNAL any (msg: "IDS75/trojan-active-netspy"; flags: SA;)
alert TCP $INTERNAL 31339 -> $EXTERNAL any (msg: "IDS74/trojan-active-netspydk"; flags: SA;)
alert TCP $INTERNAL 5011 -> $EXTERNAL any (msg: "IDS73/trojan-active-ootlt"; flags: SA;)
alert TCP $INTERNAL 2023 -> $EXTERNAL any (msg: "IDS72/trojan-active-passripper"; flags: SA;)
alert TCP $INTERNAL 2801 -> $EXTERNAL any (msg: "IDS71/trojan-active-phineas"; flags: SA;)
alert TCP $INTERNAL 9872 -> $EXTERNAL any (msg: "IDS70/trojan-active-portalofdoom"; flags: SA;)
alert TCP $INTERNAL 16969 -> $EXTERNAL any (msg: "IDS69/trojan-active-priority"; flags: SA;)
alert TCP $INTERNAL 11223 -> $EXTERNAL any (msg: "IDS68/trojan-active-progenic"; flags: SA;)
alert TCP $INTERNAL 22222 -> $EXTERNAL any (msg: "IDS67/trojan-active-prosiak"; flags: SA;)
alert TCP $INTERNAL 1509 -> $EXTERNAL any (msg: "IDS66/trojan-active-psyberstream"; flags: SA;)
alert TCP $INTERNAL 53001 -> $EXTERNAL any (msg: "IDS65/trojan-active-remoteshutdown"; flags: SA;)
alert TCP $INTERNAL 5569 -> $EXTERNAL any (msg: "IDS64/trojan-active-robohack"; flags: SA;)
alert TCP $INTERNAL 54321 -> $EXTERNAL any (msg: "IDS63/trojan-active-schoolbus"; flags: SA;)
alert TCP $INTERNAL 31554 -> $EXTERNAL any (msg: "IDS62/trojan-active-schwindler"; flags: SA;)
alert TCP $INTERNAL 11000 -> $EXTERNAL any (msg: "IDS61/trojan-active-sennaspy"; flags: SA;)
alert TCP $INTERNAL 1600 -> $EXTERNAL any (msg: "IDS60/trojan-active-shiveburka"; flags: SA;)
alert TCP $INTERNAL 1981 -> $EXTERNAL any (msg: "IDS59/trojan-active-shockrave"; flags: SA;)
alert TCP $INTERNAL 1001 -> $EXTERNAL any (msg: "IDS58/trojan-active-silencer-webex-doly"; flags: SA;)
alert TCP $INTERNAL 30303 -> $EXTERNAL any (msg: "IDS57/trojan-active-socket23"; flags: SA;)
alert TCP $INTERNAL 1207 -> $EXTERNAL any (msg: "IDS56/trojan-active-softwar"; flags: SA;)
alert TCP $INTERNAL 33911 -> $EXTERNAL any (msg: "IDS55/trojan-active-spirit2001"; flags: SA;)
alert TCP $INTERNAL 1807 -> $EXTERNAL any (msg: "IDS54/trojan-active-spysender"; flags: SA;)
alert TCP $INTERNAL 555 -> $EXTERNAL any (msg: "IDS53/trojan-active-stealthspy-phase0-netadmin"; flags: SA;)
alert TCP $INTERNAL 1170 -> $EXTERNAL any (msg: "IDS52/trojan-active-streamingaudio"; flags: SA;)
alert TCP $INTERNAL 2565 -> $EXTERNAL any (msg: "IDS51/trojan-active-striker"; flags: SA;)
alert TCP $INTERNAL 1243 -> $EXTERNAL any (msg: "IDS50/trojan-active-subseven"; flags: SA;)
alert TCP $INTERNAL 61466 -> $EXTERNAL any (msg: "IDS49/trojan-active-telecommando"; flags: SA;)
alert TCP $INTERNAL 9999 -> $EXTERNAL any (msg: "IDS48/trojan-active-theprayer1"; flags: SA;)
alert TCP $INTERNAL 2716 -> $EXTERNAL any (msg: "IDS47/trojan-active-theprayer2"; flags: SA;)
alert TCP $INTERNAL 40412 -> $EXTERNAL any (msg: "IDS46/trojan-active-thespy"; flags: SA;)
alert TCP $INTERNAL 6400 -> $EXTERNAL any (msg: "IDS45/trojan-active-thething"; flags: SA;)
alert TCP $INTERNAL 29891 -> $EXTERNAL any (msg: "IDS44/trojan-active-theunexplained"; flags: SA;)
alert TCP $INTERNAL 34324 -> $EXTERNAL any (msg: "IDS43/trojan-active-tinytelnet"; flags: SA;)
alert TCP $INTERNAL 3791 -> $EXTERNAL any (msg: "IDS42/trojan-active-totaleclipse"; flags: SA;)
alert TCP $INTERNAL 1999 -> $EXTERNAL any (msg: "IDS41/trojan-active-transcout"; flags: SA;)
alert TCP $INTERNAL 2001 -> $EXTERNAL any (msg: "IDS40/trojan-active-trojancow"; flags: SA;)
alert TCP $INTERNAL 6669 -> $EXTERNAL any (msg: "IDS39/trojan-active-vampire"; flags: SA;)
alert TCP $INTERNAL 1245 -> $EXTERNAL any (msg: "IDS38/trojan-active-vodoo"; flags: SA;)
alert TCP $INTERNAL 23456 -> $EXTERNAL any (msg: "IDS37/trojan-active-whackjob"; flags: SA;)
alert TCP $INTERNAL 5742 -> $EXTERNAL any (msg: "IDS36/trojan-active-wincrash"; flags: SA;)
alert TCP $INTERNAL 2583 -> $EXTERNAL any (msg: "IDS35/trojan-active-wincrash2"; flags: SA;)
alert TCP $INTERNAL 5550 -> $EXTERNAL any (msg: "IDS34/trojan-active-xtcp2"; flags: SA;)
alert TCP $INTERNAL 37651 -> $EXTERNAL any (msg: "IDS33/trojan-active-yetanother"; flags: SA;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS225/web-cgi-anyform"; content: "anyform"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS221/web-cgi-finger"; content: "finger"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS226/web-cgi-formmail"; content: "formmail"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS228/web-cgi-guestbook"; content: "guestbook"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS235/web-cgi-handler"; content: "handler"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS224/web-cgi-nph-test-cgi"; content: "nph-test-cgi"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS219/web-cgi-perl-exe"; content: "perl.exe"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS128/web-cgi-phf"; content: "phf"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS232/web-cgi-php"; content: "php.cgi?/"; flags: AP;)
alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS233/web-cgi-php-version"; content: "PHP/FI Version 2.0b"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS243/web-cgi-pipe"; content: "|7C|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS227/web-cgi-scriptalias"; content: "///"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS220/web-cgi-snork"; content: "snork.bat"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS230/web-cgi-space-wildcard"; content: "|2A 20|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS218/web-cgi-test-cgi"; content: "test-cgi"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS210/web-cgi-w3-msql"; content: "w3-msql"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS211/web-cgi-w3-msql-solx86"; content: "/bin/shA-cA/usr/openwin"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS231/web-cgi-win-c-sample"; content: "win-c-sample.exe"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS234/web-cgi-wrap"; content: "wrap?/"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS250/web-coldfusion-openfile"; content: "openfile.cfm"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 2301 (msg: "IDS244/web-compaq-insight-dot-dot"; content: "../";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS248/web-frontpage-pws-fourdots"; content: "...."; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS200/web-IIS-encoding"; content: "|25 31 75|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 457 (msg: "IDS180/web-netscape-overflow-unixware"; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; content: "admin.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; content: "PHP_AUTH_USER=boogieman"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; content: "code.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; content: "read.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; content: "violation.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS237/web-webhits"; content: ".htw"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS30/XMAS Scan"; flags: FPU; ack: 0;)
#end arachNIDS export