-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathimproved.rules
60 lines (39 loc) · 21.6 KB
/
improved.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVASVT RCE Test String in HTTP Request Inbound"; flow:established,to_server; content:"T3BlblZBU1ZUIFJDRSBUZXN0"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,openvas.org; reference:url,doi.org/10.1145/3708821.3710823; classtype:attempted-recon; sid:2012726; rev:7; metadata:created_at 2011_04_26, updated_at 2024_09_16, performance_impact Moderate, signature_severity Minor, attack_target Web_Server, deployment Datacenter; target:dest_ip;)
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/"; fast_pattern; pcre:"/\/CFIDE\/(administrator|adminapi)/i"; nocase; flowbits:set,ET.coldfusion_admin_access; flowbits:noalert; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2016184; rev:7; metadata:created_at 2013_01_09, updated_at 2024_09_16, performance_impact Moderate, attack_target Server, deployment Datacenter;)
alert http $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER ColdFusion successful administrator access"; flow:established,to_client; flowbits:isset,ET.coldfusion_admin_access; http.stat_code; content:"200"; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2016185; metadata:created_at 2024_09_15, performance_impact Moderate, signature_severity Major, attack_target Server, deployment Datacenter; target:src_ip;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Go HTTP Client User-Agent"; flow:established,to_server; http.user_agent; content:"Go-http-client"; fast_pattern; nocase; http.request_header; content:!"X-Tailscale-Challenge|3a 20|"; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2024897; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2024_09_16, performance_impact Moderate; target:src_ip;)
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B - Inbound OS Command Injection"; flow:established,to_server; http.uri; content:"/login.cgi?"; fast_pattern; content:"cli="; pcre:"/^[ a-zA-Z0-9+_]*[\x27\x3b]/Ri"; reference:url,exploit-db.com/exploits/44760/; reference:url,doi.org/10.1145/3708821.3710823; classtype:attempted-user; sid:2025756; rev:3; metadata:attack_target IoT, created_at 2018_06_27, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25, performance_impact Moderate; target:dest_ip;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; depth:46; nocase; flowbits:set,ET.nmap_nse_ua; flowbits:noalert; reference:url,doc.emergingthreats.net/2009358; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2009358; rev:7; metadata:created_at 2010_07_30, updated_at 2024_09_16, performance_impact Moderate, attack_target Client_and_Server, deployment Perimeter;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN 200 OK to NMAP NSE UA request"; flow:established,to_client; flowbits:isset,ET.nmap_nse_ua; flowbits:unset,ET.nmap_nse_ua; http.stat_code; content:"200"; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2009358; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2009359; rev:4; metadata:created_at 2024_09_16, updated_at 2024_09_16, performance_impact Moderate, signature_severity Minor, attack_target Client_and_Server, deployment Perimeter; target:src_ip;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access"; flow:established,to_server; http.uri; content:"information_schema"; nocase; flowbits:set,ET.sqli_attempt; flowbits:noalert; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2017808; rev:4; metadata:created_at 2013_12_06, updated_at 2024_09_16, mitre_technique_id T1190, attack_target Web_Server, performance_impact Moderate, deployment Datacenter;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN 200 OK to SQLI Information Schema Access Attempt"; flow:established,to_client; flowbits:isset,ET.sqli_attempt; flowbits:unset,ET.sqli_attempt; http.stat_code; content:"200"; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2017809; rev:4; metadata:created_at 2024_09_16, updated_at 2024_09_16, attack_target Web_Server, performance_impact Moderate, signature_severity Major, deployment Datacenter; target:src_ip;)
alert http $HOME_NET any -> any any (msg:"ET SCAN Nmap User-Agent Observed (Internal)"; flow:established,to_server; http.user_agent; content:"|20|Nmap"; fast_pattern; threshold:type limit, track by_src, seconds 120, count 1; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2024364; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Minor, updated_at 2024_09_16, performance_impact Moderate; target:dest_ip;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; http.uri; content:"SELECT"; fast_pattern; nocase; content:"FROM"; distance:0; nocase; flowbits:set,ET.sqli_select_attempt; flowbits:noalert; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2006445; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2024_09_16, performance_impact Moderate;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN 200 OK to SQLI SELECT Attempt"; flow:established,to_client; flowbits:isset,ET.sqli_select_attempt; flowbits:unset,ET.sqli_select_attempt; http.stat_code; content:"200"; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2006447; rev:4; metadata:created_at 2024_09_16, updated_at 2024_09_16, attack_target Web_Server, performance_impact Moderate, signature_severity Major, deployment Datacenter; target:src_ip;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; distance:0; fast_pattern; nocase; flowbits:set,ET.sqli_union_attempt; flowbits:noalert; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2006446; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2024_09_16, performance_impact Moderate;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN 200 OK to SQLI UNION Attempt"; flow:established,to_client; flowbits:isset,ET.sqli_union_attempt; flowbits:unset,ET.sqli_union_attempt; http.stat_code; content:"200"; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2006448; rev:4; metadata:created_at 2024_09_16, updated_at 2024_09_16, attack_target Web_Server, performance_impact Moderate, signature_severity Major, deployment Datacenter; target:src_ip;)
alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flow:to_server; flags:S,12; threshold:type both, track by_src, count 70, seconds 60; reference:url,doc.emergingthreats.net/2001581; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2001581; rev:16; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2024_09_16, performance_impact Low, signature_severity Major, attack_target Client_and_Server, deployment Perimeter; target:dest_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Port Scan Attempt"; flow:to_server; flags:S,12; luajit:pop3_scanner_recognition.lua; xbits:set,ET.pop3_scan, track ip_src; noalert; reference:url,doc.emergingthreats.net/2002992; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2002992; rev:9; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, deployment Datacenter;)
alert tcp $HOME_NET 110 -> $EXTERNAL_NET any (msg:"ET SCAN POP3 Port Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.pop3_scan, track ip_dst; xbits:unset,ET.pop3_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2002992; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2002993; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, signature_severity Minor, deployment Datacenter; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Port Scan Attempt"; flow:to_server; flags:S,12; luajit:pop3s_scanner_recognition.lua; xbits:set,ET.pop3s_scan, track ip_src; noalert; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2002996; rev:9; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, deployment Datacenter;)
alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"ET SCAN POP3S Port Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.pop3s_scan, track ip_dst; xbits:unset,ET.pop3s_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2002997; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, signature_severity Minor, deployment Datacenter; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Port Scan Attempt"; flow:to_server; flags:S,12; luajit:imap_scanner_recognition.lua; xbits:set,ET.imap_scan, track ip_src; noalert; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2003000; rev:9; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, deployment Datacenter;)
alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET SCAN IMAP Port Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.imap_scan, track ip_dst; xbits:unset,ET.imap_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2003001; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, signature_severity Minor, deployment Datacenter; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Port Scan Attempt"; flow:to_server; flags:S,12; luajit:imaps_scanner_recognition.lua; xbits:set,ET.imaps_scan, track ip_src; noalert; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2003002; rev:9; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, deployment Datacenter;)
alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"ET SCAN IMAPS Port Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.imaps_scan, track ip_dst; xbits:unset,ET.imaps_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2003003; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Server, performance_impact Moderate, signature_severity Minor, deployment Datacenter; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET SCAN port scan inbound to Oracle SQL port 1521"; flow:to_server; flags:S,12; luajit:osql_scanner_recognition.lua; xbits:set,ET.osql_scan, track ip_src; noalert; reference:url,doc.emergingthreats.net/2010936; reference:url,doi.org/10.1145/3708821.3710823; classtype:bad-unknown; sid:2010936; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2024_09_16, deployment Datacenter, attack_target Server, performance_impact Moderate, signature_severity Minor;)
alert tcp $HOME_NET 1521 -> $EXTERNAL_NET any (msg:"ET SCAN Oracle SQL Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.osql_scan, track ip_dst; xbits:unset,ET.osql_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2010936; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2010940; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, deployment Datacenter, attack_target Server, performance_impact Moderate, signature_severity Minor; target:src_ip;)
alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; flowbits:set,ET.nmap_os; flowbits:noalert; reference:url,doi.org/10.1145/3708821.3710823; classtype:attempted-recon; sid:2018489; rev:5; metadata:created_at 2014_05_21, updated_at 2024_09_16, performance_impact Moderate, attack_target Client_and_Server, deployment Perimeter;)
alert udp $HOME_NET 10000 -> $EXTERNAL_NET 10000 (msg:"ET SCAN NMAP OS Probe Possibly Successful (Response Packet)"; flowbits:isset,ET.nmap_os; flowbits:unset,ET.nmap_os; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2018490; rev:4; metadata:created_at 2010_07_30, updated_at 2024_09_16, performance_impact Moderate, signature_severity Minor, attack_target Client_and_Server, deployment Perimeter; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN port scan inbound to mySQL port 3306"; flow:to_server; flags:S,12; luajit:mysql_scanner_recognition.lua; xbits:set,ET.mysql_scan, track ip_src; noalert; reference:url,doc.emergingthreats.net/2010937; reference:url,doi.org/10.1145/3708821.3710823; classtype:bad-unknown; sid:2010937; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2024_09_16, deployment Datacenter, attack_target Server, performance_impact Moderate;)
alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN mySQL port 3306 Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.mysql_scan, track ip_dst; xbits:unset,ET.mysql_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2010937; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2010941; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, deployment Datacenter, attack_target Server, performance_impact Moderate, signature_severity Minor; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN port scan inbound to PostgreSQL port 5432"; flow:to_server; flags:S,12; luajit:psql_scanner_recognition.lua; xbits:set,ET.psql_scan, track ip_src; noalert; reference:url,doc.emergingthreats.net/2010939; reference:url,doi.org/10.1145/3708821.3710823; classtype:bad-unknown; sid:2010939; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2024_09_16, deployment Datacenter, attack_target Server, performance_impact Moderate;)
alert tcp $HOME_NET 5432 -> $EXTERNAL_NET any (msg:"ET SCAN PostgreSQL port 5432 Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.psql_scan, track ip_dst; xbits:unset,ET.psql_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2010939; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2010942; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, deployment Datacenter, attack_target Server, performance_impact Moderate, signature_severity Minor; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; luajit:ssh_scanner_recognition.lua; xbits:set,ET.ssh_scan, track ip_src; noalert; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; reference:url,doi.org/10.1145/3708821.3710823; classtype:attempted-recon; sid:2001219; rev:22; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Client_and_Server, performance_impact Moderate, deployment Datacenter;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET SCAN SSH Scan Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.ssh_scan, track ip_dst; xbits:unset,ET.ssh_scan, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2001220; rev:6; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Client_and_Server, performance_impact Moderate, signature_severity Minor, deployment Datacenter; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flow:to_server; flags:S,12; luajit:vnc_scanner_recognition.lua; xbits:set,ET.vnc_scan1, track ip_src; noalert; reference:url,doc.emergingthreats.net/2002910; reference:url,doi.org/10.1145/3708821.3710823; classtype:attempted-recon; sid:2002910; rev:8; metadata:created_at 2010_07_30, updated_at 2024_09_16, mitre_technique_id T1595, attack_target Client_and_Server, performance_impact Moderate, deployment Datacenter;)
alert tcp $HOME_NET 5800:5820 -> $EXTERNAL_NET any (msg:"ET SCAN VNC Port Scan 5800-5820 Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.vnc_scan1, track ip_dst; xbits:unset,ET.vnc_scan1, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2002910; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2002912; rev:5; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Client_and_Server, performance_impact Moderate, signature_severity Minor, deployment Datacenter; target:src_ip;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; luajit:vnc_scanner_recognition2.lua; xbits:set,ET.vnc_scan2, track ip_src; noalert; reference:url,doc.emergingthreats.net/2002911; reference:url,doi.org/10.1145/3708821.3710823; classtype:attempted-recon; sid:2002911; rev:8; metadata:created_at 2010_07_30, updated_at 2024_09_16, mitre_technique_id T1595, attack_target Client_and_Server, performance_impact Moderate, deployment Datacenter;)
alert tcp $HOME_NET 5900:5920 -> $EXTERNAL_NET any (msg:"ET SCAN VNC Port Scan 5900-5920 Successful (SYN/ACK)"; flags:SA,12; xbits:isset,ET.vnc_scan2, track ip_dst; xbits:unset,ET.vnc_scan2, track ip_dst; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2002911; reference:url,doi.org/10.1145/3708821.3710823; classtype:misc-activity; sid:2002913; rev:6; metadata:created_at 2010_07_30, updated_at 2024_09_16, attack_target Client_and_Server, performance_impact Moderate, signature_severity Minor, deployment Datacenter; target:src_ip;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"</script>"; nocase; reference:url,ha.ckers.org/xss.html; flowbits:set,ET.xss; flowbits:noalert; reference:url,doc.emergingthreats.net/2009714; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2009714; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, tag XSS, tag Cross_Site_Scripting, updated_at 2024_09_16, performance_impact Moderate;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER 200 OK to XSS Attempt"; flow:established,to_client; flowbits:isset,ET.xss; flowbits:unset,ET.xss; http.stat_code; content:"200"; threshold:type limit, track by_dst, seconds 120, count 1; reference:url,doc.emergingthreats.net/2009714; reference:url,doi.org/10.1145/3708821.3710823; classtype:web-application-attack; sid:2009715; rev:4; metadata:created_at 2024_09_16, updated_at 2024_09_16, deployment Datacenter, attack_target Web_Server, signature_severity Major, performance_impact Moderate; target:src_ip;)