Term
| alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : “BACKDOOR ATTEMPT-Backorifice”) |
|
Definition
| Alert if any attempt is made to access port 31337 on the home network from outside the home network. Record the message "BACKDOOR ATTEMPT-Backorifice". |
|
|
Term
| alert tcp !$HOME_NET any -> $HOME_NET 23 (msg: “Telnet attempt..admin access” content: “admin”) |
|
Definition
| Alert on any tcp attempt from the outside the home network to access port 23 on the home network, where the packet contains the word “admin”. Record the message "Telnet attempt..admin access". |
|
|
Term
| alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";) |
|
Definition
| Alert when string "|5c 00|P|00|I|00|P|00|E|00 5c|" arrives on port 139, any address, from any address/port combination. |
|
|
Term
| alert tcp any any -> any 80 (content:!"GET"; |
|
Definition
| Alert when any traffic comes in on port 80 without the word GET in the payload. |
|
|
Term
| alert tcp any any -> any 21 (content:"FTP ROOT"; content:"USER root"; nocase;) |
|
Definition
| Alert if any traffic into port 21 matches "ftp root" or "user root"; case insensitive. |
|
|
Term
| alert tcp any any -> any any (msg:"Possible exploit"; content:"|90|";) |
|
Definition
| Alert with the message "Possible exploit" if any traffic includes the hex value '90'. |
|
|
Term
| log tcp any any -> 92.168.1.0/24 :5000 |
|
Definition
| Log packet if it arrives at any address on the subnet, to any port less than or equal to 5000. |
|
|
Term
| alert tcp any any -> any 21 (content:"site exec"; content:"%"; msg:"site exec buffer overflow attempt";) |
|
Definition
| Alert if any traffic to port 21 at any address contains the string "Site exec" *and* "%", record with message "site exec buffer overflow attempt" |
|
|
