# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2024, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3443 (msg:"ET WEB_SERVER HP OpenView Network Node Manager Remote Command Execution Attempt"; flow:to_server,established; content:"/OvCgi/connectedNodes.ovpl?"; nocase; pcre:"/node=.*\|.+\|/i"; reference:bugtraq,14662; classtype:web-application-attack; sid:2002365; rev:9; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET WEB_SERVER THCIISLame IIS SSL Exploit Attempt"; flow: to_server,established; content:"THCOWNZIIS!"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; classtype:web-application-attack; sid:2000559; rev:14; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible UNION SELECT SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"UNION%20"; within:200; nocase; content:"SELECT"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]+UNION.+SELECT/i"; reference:url,www.w3schools.com/sql/sql_union.asp; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; classtype:web-application-attack; sid:2009770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SELECT FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0d\x0aCookie\x3a[^\n]+SELECT.+FROM/i"; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; classtype:web-application-attack; sid:2009771; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DELETE FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"DELETE%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]DELETE.+FROM/i"; reference:url,www.w3schools.com/Sql/sql_delete.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; classtype:web-application-attack; sid:2009772; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT INTO SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INSERT%20"; nocase; within:200; content:"INTO"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INSERT.+INTO/i"; reference:url,www.w3schools.com/SQL/sql_insert.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; classtype:web-application-attack; sid:2009773; rev:36; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INTO%20"; nocase; within:200; content:"OUTFILE"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; classtype:web-application-attack; sid:2010038; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"INSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; classtype:web-application-attack; sid:2010286; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"SUBSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; classtype:web-application-attack; sid:2010287; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt"; flow:established,to_server; content:"UNLOCK"; nocase; depth:6; content:"Connection|3A| Close"; nocase; distance:0; content:"Lock-token|3A|"; nocase; within:100; reference:url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt; classtype:web-application-attack; sid:2011015; rev:3; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS|20|"; depth:8; nocase; isdataat:400,relative; content:!"|0A|"; within:400; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; classtype:web-application-attack; sid:2011016; rev:4; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebDAV search overflow"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; isdataat:1000,relative; content:!"|0a|"; within:1000; reference:cve,2003-0109; classtype:web-application-attack; sid:2002844; rev:7; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound"; flow:established,to_server; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012151; rev:1; metadata:created_at 2011_01_06, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/OvCgi/Main/Snmp.exe"; http_uri; nocase; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; reference:cve,2009-3849; classtype:web-application-attack; sid:2010687; rev:5; metadata:created_at 2010_07_30, confidence High, updated_at 2019_07_26;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5; metadata:created_at 2011_04_01, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"HTTP/1.1 414 Request-URI Too Large"; depth:35; nocase; classtype:web-application-attack; sid:2012708; rev:2; metadata:created_at 2011_04_22, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER robots.txt access"; flow:to_server,established; content:"/robots.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101852; rev:5; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER robot.txt access"; flow:to_server,established; content:"/robot.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101857; rev:5; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:2101809; rev:10; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; content:"TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE"; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:2101817; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; reference:nessus,11018; classtype:web-application-attack; sid:2101818; rev:5; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER webalizer access"; flow:established,to_server; content:"/webalizer/"; nocase; http_uri; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:2101847; rev:12; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER global.inc access"; flow:to_server,established; content:"/global.inc"; nocase; http_uri; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:2101738; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=http|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012997; rev:4; metadata:created_at 2011_06_10, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Muieblackcat scanner"; flow:established,to_server; content:"GET /muieblackcat HTTP/1.1"; depth:26; classtype:attempted-recon; sid:2013115; rev:3; metadata:created_at 2011_06_24, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:2101122; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102131; rev:4; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER TRACE attempt"; flow:to_server,established; content:"TRACE"; http_method; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2102056; rev:6; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Alternate Data Stream source view attempt"; flow:to_server,established; content:"|3A 3A|$DATA"; http_uri; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; classtype:web-application-activity; sid:2001365; rev:12; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat view source attempt"; flow:to_server,established; content:"%252ejsp"; http_uri; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:2101056; rev:10; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 3"; flow:to_server,established; content:".js%2570"; http_uri; nocase; classtype:attempted-recon; sid:2101236; rev:9; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 2"; flow:to_server,established; content:".j%2573p"; http_uri; nocase; classtype:attempted-recon; sid:2101237; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 1"; flow:to_server,established; content:".%256Asp"; http_uri; nocase; classtype:attempted-recon; sid:2101238; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:10; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~ftp access"; flow:to_server,established; content:"/~ftp"; nocase; http_uri; classtype:attempted-recon; sid:2101662; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-activity; sid:2101285; rev:10; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:2101023; rev:13; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:9; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:9; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; http_uri; nocase; classtype:web-application-activity; sid:2101371; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:12; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:13; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:13; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:9; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:12; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:12; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sumthin"; nocase; http_uri; reference:url,www.webmasterworld.com/forum11/2100.htm; classtype:attempted-recon; sid:2002667; rev:38; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:2; metadata:created_at 2012_11_21, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:2; metadata:created_at 2012_11_21, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname|3a|<br>User|3a|<br>Php|3a|<br>Hdd|3a|<br>Cwd|3a|</span>"; classtype:attempted-user; sid:2015919; rev:3; metadata:created_at 2012_11_21, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:2; metadata:created_at 2012_11_24, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP RAT"; flow:established,to_client; file_data; content:"<table id=\"filetable\" class=\"filelist\" cellspacing=\"1px\" cellpadding=\"0px\">"; classtype:attempted-user; sid:2016151; rev:3; metadata:created_at 2013_01_04, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP File Admin"; flow:established,to_client; file_data; content:"<h2>(L)aunch external program</h2>"; classtype:attempted-user; sid:2016152; rev:4; metadata:created_at 2013_01_04, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:2; metadata:created_at 2013_01_22, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:3; metadata:created_at 2013_01_22, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:2; metadata:created_at 2013_02_26, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:2; metadata:created_at 2013_03_14, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_14, updated_at 2019_07_26;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:2; metadata:created_at 2013_03_27, updated_at 2019_07_26;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016677; rev:2; metadata:created_at 2013_03_27, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Simple - Title"; flow:established,to_client; file_data; content:"- Simple Shell</title>"; classtype:bad-unknown; sid:2016679; rev:2; metadata:created_at 2013_03_27, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:2; metadata:created_at 2013_03_27, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:2; metadata:created_at 2013_04_02, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:2; metadata:created_at 2013_04_16, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:2; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - Auth Prompt"; flow:established,to_client; file_data; content:"name=|22|haz|22| value=|22|pasa|22|>"; classtype:trojan-activity; sid:2017087; rev:3; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell"; flow:established,to_client; file_data; content:"Pouya_Server Shell"; classtype:trojan-activity; sid:2017089; rev:2; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:3; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3; metadata:created_at 2013_07_25, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; nocase; pcre:"/^Accept-Language\:[^\n]*?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; classtype:attempted-user; sid:2002865; rev:6; metadata:created_at 2010_07_30, confidence High, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:12; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - Interface"; flow:established,to_client; file_data; content:"document.myform.txtpath.value"; classtype:trojan-activity; sid:2017390; rev:3; metadata:created_at 2013_08_28, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Prompt"; flow:established,to_client; file_data; content:"<INPUT type=password name=code >"; classtype:trojan-activity; sid:2017391; rev:2; metadata:created_at 2013_08_28, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Upload - Response"; flow:established,to_client; file_data; content:"<title>ASPYDrvsInfo</title>"; classtype:trojan-activity; sid:2017394; rev:2; metadata:created_at 2013_08_28, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND)"; flow:established,to_client; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017604; rev:2; metadata:created_at 2013_10_17, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:2; metadata:created_at 2013_10_17, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND)"; flow:established,to_client; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017606; rev:2; metadata:created_at 2013_10_17, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND)"; flow:established,from_server; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017607; rev:2; metadata:created_at 2013_10_17, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:2; metadata:created_at 2013_10_17, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:3; metadata:created_at 2014_01_11, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,from_server; file_data; content:"<title>CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:2; metadata:created_at 2014_03_18, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener"; flow:established,from_server; file_data; content:"Silentz's Tricks:"; content:"action=cmd2"; content:"Start NC"; reference:url,www.fidelissecurity.com/webfm_send/377; reference:url,pastebin.com/XAG1Hnfd; classtype:web-application-attack; sid:2018369; rev:2; metadata:created_at 2014_04_07, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp - content"; flow:established,from_server; file_data; content:"<title>zehir3--> powered by zehir"; content:"Sistem Bilgileri"; content:"color=red>Local Adres</td"; content:"zehirhacker"; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018371; rev:2; metadata:created_at 2014_04_07, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"M Fucking Scanner"; http_user_agent; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; classtype:web-application-attack; sid:2009799; rev:6; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; content:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; http_uri; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; classtype:attempted-user; sid:2010281; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; reference:url,opinion.josepino.com/php/howto_website_hack1; classtype:successful-user; sid:2010463; rev:7; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:3; metadata:created_at 2010_12_30, updated_at 2019_07_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:5; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:2100139; rev:5; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Insomnia Shell Outbound CMD Banner"; flow:to_server,established; content:"Shell enroute......."; depth:20; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019900; rev:1; metadata:created_at 2014_12_09, signature_severity Major, updated_at 2019_07_26;)

alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - Landing Page"; flow:established,to_client; file_data; content:"cPanel Cracker"; classtype:trojan-activity; sid:2020096; rev:3; metadata:created_at 2015_01_06, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:2; metadata:created_at 2015_02_24, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt"; flow:established,to_server; content:"POST /"; depth:6; content:"search"; distance:0; content:"script_fields"; distance:0; nocase; content:".class.forName"; nocase; distance:0; content:"java.lang.Runtime"; nocase; distance:0; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427; classtype:attempted-admin; sid:2020648; rev:2; metadata:created_at 2015_03_09, cve CVE_2015_1427, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; fast_pattern; http_uri; pcre:"/date=\d{8}\)\;./Ui"; classtype:web-application-attack; sid:2002777; rev:8; metadata:created_at 2010_07_30, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER AnonGhost PHP Webshell"; flow:from_server,established; file_data; content:"base64_decode("; content:"Bbm9uR2hvc3Qg"; fast_pattern; classtype:trojan-activity; sid:2023143; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2016_09_01, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2019_07_26;)

#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; sid:2010517; rev:4; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:5; metadata:created_at 2013_07_12, signature_severity Major, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2019_07_26;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Access"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"|22|os.name|22|"; distance:0; content:"|22|/bin/sh|22|"; distance:0; content:"getRuntime|28 29|.exec|28|"; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026336; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; content:"/awstats.pl?"; http_uri; nocase; content:"/migrate"; http_uri; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; classtype:web-application-attack; sid:2002900; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; classtype:web-application-attack; sid:2002362; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.*\|/Ui"; reference:bugtraq,19276; classtype:web-application-attack; sid:2003086; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP set enable password attack"; flow:established,to_server; content:"/configure/"; http_uri; content:"/enable/"; http_uri; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; classtype:web-application-attack; sid:2002721; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern"; flow:established,to_server; content:"/CCMAdmin/serverlist.asp?"; http_uri; nocase; content:"pattern="; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2832; reference:url,www.secunia.com/advisories/25377; classtype:web-application-attack; sid:2004556; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure"; flow:to_server,established; content:"GET "; depth:4; content:"lastvist.html?"; http_uri; nocase; content:"domain="; http_uri; nocase; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9039; reference:bugtraq,35518; classtype:web-application-attack; sid:2009484; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; content:"OpenForm"; http_uri; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; classtype:web-application-attack; sid:2002376; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino Src XSS attempt"; flow:to_server,established; content:"OpenFrameSet"; http_uri; nocase; pcre:"/src=.*\"><\/FRAMESET>.*<script>.*<\/script>/iU"; reference:bugtraq,14846; classtype:web-application-attack; sid:2002377; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/OvCgi/OvWebHelp.exe"; http_uri; nocase; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; classtype:web-application-attack; sid:2010970; rev:4; metadata:created_at 2010_07_30, confidence High, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow: to_server,established; content:".aspx"; http_uri; nocase; content:"GET"; nocase; depth: 3; content:"%5C"; depth: 200; nocase; content:"aspx"; within:100; classtype:web-application-attack; sid:2001343; rev:23; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; content:"extras/update.php"; http_uri; nocase; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; classtype:attempted-recon; sid:2002864; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"CUSTOMIZE=/"; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; classtype:web-application-activity; sid:2002131; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"destype=file"; http_uri; nocase; content:"desformat="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; classtype:web-application-activity; sid:2002132; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"report="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; classtype:web-application-activity; sid:2002133; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)"; flow:to_server,established; content:".php"; http_uri; nocase; content:"=http|3a|/"; http_uri; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; classtype:web-application-attack; sid:2009151; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection"; flow:established,to_server; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/\x2F\x2A.+\x2A\x2F/U"; reference:url,dev.mysql.com/doc/refman/5.0/en/comments.html; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2011040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx"; flow:established,to_server; content:"/default.aspx?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2581; reference:url,www.securityfocus.com/bid/23832; classtype:web-application-attack; sid:2003903; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail"; flow:established,to_server; content:"/contact/contact/index.php?"; http_uri; nocase; content:"form[mail]="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; classtype:web-application-attack; sid:2003904; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; content:"|00|"; http_uri; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; classtype:web-application-activity; sid:2003099; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; classtype:web-application-attack; sid:2009644; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; sid:2011244; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; sid:2011286; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; classtype:attempted-dos; sid:2010229; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2009_1201, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; classtype:attempted-user; sid:2000105; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; classtype:attempted-user; sid:2000106; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; classtype:web-application-attack; sid:2011289; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; classtype:attempted-recon; sid:2010162; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_31, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:8; metadata:created_at 2013_08_31, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:8; metadata:created_at 2013_08_31, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:8; metadata:created_at 2013_08_31, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:8; metadata:created_at 2013_08_31, signature_severity Major, updated_at 2019_10_08;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern; content:"Change Log Level To"; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:3; metadata:created_at 2014_03_04, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:3; metadata:created_at 2014_06_24, signature_severity Major, updated_at 2019_10_08;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:3; metadata:created_at 2014_09_28, cve CVE_2014_6271, updated_at 2019_10_08;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:4; metadata:created_at 2014_09_28, cve CVE_2014_6271, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern; classtype:bad-unknown; sid:2019314; rev:4; metadata:created_at 2014_09_29, updated_at 2019_10_08;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, cve CVE_2014_6271, signature_severity Major, updated_at 2019_10_08;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.5 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029862; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER X-Sec Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>X-Sec Shell V."; nocase; fast_pattern; classtype:web-application-attack; sid:2029864; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 4.2.5 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029868; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 4.2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029870; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Kageyama Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<H1><center>Shell Kageyama</center></H1>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029872; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; classtype:web-application-attack; sid:2029874; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MINI MO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MINI MO Shell</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029876; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_04_10;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form>"; fast_pattern; classtype:web-application-attack; sid:2029883; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_13;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form   method=|20 22|post|22 20|action=|20 22 22|> <input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value="; fast_pattern; classtype:web-application-attack; sid:2029885; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_13;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Anonymous Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>AnonyMous SHell</title>"; nocase; fast_pattern; content:"id=|22|pageheading|22|>AnonyMous SHell"; nocase; distance:0; classtype:web-application-attack; sid:2029887; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Critical, updated_at 2020_04_13;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mini Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<tr><td>Current Path : <a href=|22|?path=/"; nocase; content:"<tr class=|22|first|22|>"; nocase; distance:0; content:"<td><center>File/Folder Name</center></td>"; nocase; distance:0; content:"<td><center>Size</center></td>"; nocase; distance:0; content:"<td><center>Permissions</center></td>"; nocase; distance:0; content:"<td><center>Options</center></td>"; nocase; distance:0; content:"<td><center><form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; fast_pattern; content:"<td><a href=|22|?filesrc="; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<option value=|22|edit|22|>Edit</option>"; nocase; distance:0; classtype:web-application-attack; sid:2029889; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_13;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>password<br><input type=password name=pass style=|22|background-color:whitesmoke|3b|border:1px solid #fff|3b|outline:none|3b|' required>"; content:"<input type=submit name=|22|watching|22 20|value=|22|submit|22 20|style=|22|border:none|3b|background-color:#56ad15|3b|color:#fff|3b|cursor:pointer|3b 22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029891; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_13;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='submit' style='border:none|3b|background-color:#56AD15|3b|color:#fff|3b|cursor:pointer|3b|'></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029901; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form action=|22 22 20|method=|22|post|22|><input type=|22|text|22 20|name=|22|_nv|22|><input type=|22|submit|22 20|value=|22|>>|22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029903; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Critical, updated_at 2020_04_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Leaf PHPMailer"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2029905; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Owl PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Owl PHPMailer"; fast_pattern; content:"function stopSending()"; content:"function startSending()"; classtype:web-application-attack; sid:2029907; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='>>' style="; distance:0; fast_pattern; classtype:web-application-attack; sid:2029909; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<font><font>file Manager</font></font>"; nocase; distance:0; content:"<font><font>Back Connect"; nocase; distance:0; content:"<font><font>CgiShell</font></font>"; nocase; distance:0; content:"<font><font>Symlink</font></font>"; nocase; distance:0; content:"Mailer</font></font>"; nocase; distance:0; content:"<font><font>Auto r00t</font></font>"; nocase; distance:0; content:"<font><font>Upload</font></font>"; nocase; distance:0; content:"Exploiter & scan Tools</font></font>"; nocase; distance:0; fast_pattern; content:"<font><font>Self remove</font></font>"; nocase; distance:0; classtype:web-application-attack; sid:2029917; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_15;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|description|22 20|content=|22|This Mini Shell"; nocase; content:"<meta name=|22|author|22 20|content=|22|An0n 3xPloiTeR"; fast_pattern; distance:0; nocase; classtype:web-application-attack; sid:2029919; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_15;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029935; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>DRIV3R KR PRIV8 MAILER"; fast_pattern; nocase; classtype:web-application-attack; sid:2029937; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|Description|22 20|content=|22|Mr.Rm19"; nocase; content:">Time On Server : <font color="; nocase; distance:0; content:">Server IP : <font color="; nocase; distance:0; content:">Current Dir : </font><a href="; nocase; distance:0; content:">Mass Deface</a>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029939; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>|20 7c 20|Log In|20 7c 20|Power Mailer Inbox"; nocase; content:"</a>Welcome To Power Mailer Inbox"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>F. Mortolino</title>"; nocase; content:"MortoLino - mode*SPAMMER"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029943; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GwEx Mailer"; nocase; fast_pattern; content:">GwEx Mailer </font>"; nocase; distance:0; classtype:web-application-attack; sid:2029945; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>W0rmVps PRIV8 MAILER"; nocase; fast_pattern; classtype:web-application-attack; sid:2029947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>SMTP Mailer</title>"; nocase; fast_pattern; content:">Inbox SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2029949; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer Inbox"; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2029951; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER perl post attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:2101979; rev:7; metadata:created_at 2010_09_23, cve CVE_2002_1436, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Oracle Java Process Manager access"; flow:to_server,established; http.uri; content:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:2101874; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service"; flow:to_server,established; urilen:>1400; http.uri; content:"|2F 3F|P|3D 2A 3F 2A 3F 2A 3F 2A 3F 2A 3F|"; pcre:"/(?:\x2a\x3f){700}/"; reference:cve,2011-0419; reference:url,cxib.net/stuff/apr_fnmatch.txt; reference:url,bugzilla.redhat.com/show_bug.cgi?id=703390; classtype:attempted-dos; sid:2012926; rev:4; metadata:created_at 2011_06_02, cve CVE_2011_0419, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER perl command attempt"; flow:to_server,established; http.uri; content:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:2101649; rev:11; metadata:created_at 2010_09_23, cve CVE_1999_0509, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=file|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013002; rev:6; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=php|3a|//"; reference:cve,2002-0953; reference:cve,2024-4577; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013001; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ftps Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ftps|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013000; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, cve CVE_2002_0953, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, tag Local_File_Inclusion, tag Exploit, tag LFI, tag RFI, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ftp Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ftp|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012999; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible https Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=https|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012998; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, cve CVE_2002_0953, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, tag Local_File_Inclusion, tag Exploit, tag LFI, tag RFI, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible zlib Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=zlib|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013014; rev:6; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible data Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=data|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013003; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible glob Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=glob|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013004; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible phar Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=phar|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013005; rev:6; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ssh2 Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ssh2|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013006; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible rar Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=rar|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013007; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ogg Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ogg|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013008; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible expect Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=expect|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013009; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PUT Website Defacement Attempt"; flow:established,to_server; http.method; content:"PUT"; http.request_body; content:"<title>.|3a 3a|[+] Defaced by "; nocase; classtype:web-application-attack; sid:2013365; rev:3; metadata:created_at 2011_08_05, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DNS changer cPanel attempt"; flow:to_server,established; http.request_body; content:"pwCfm=Dn5Ch4ng3"; classtype:web-application-attack; sid:2013921; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:3; metadata:created_at 2011_12_10, cve CVE_2010_0738, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; content:"Runtime.getRuntime().exec("; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:3; metadata:created_at 2011_12_10, cve CVE_2010_0738, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER mod_gzip_status access"; flow:to_server,established; http.uri; content:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2102156; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER globals.pl access"; flow:to_server,established; http.uri; content:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2102073; rev:7; metadata:created_at 2010_09_23, cve CVE_2001_0330, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /etc/shadow Detected in URI"; flow:to_server,established; http.uri; content:"/etc/shadow"; nocase; reference:url,en.wikipedia.org/wiki/Shadow_password; classtype:attempted-recon; sid:2009485; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER eval/base64_decode Exploit Attempt Inbound"; flow:established,to_server; http.uri; content:"eval|28|base64_decode|28|"; classtype:web-application-attack; sid:2014296; rev:3; metadata:created_at 2012_02_29, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache ?M=D directory list attempt"; flow:to_server,established; http.uri; content:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:2101519; rev:12; metadata:created_at 2010_09_23, cve CVE_2001_0731, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat server snoop access"; flow:to_server,established; http.uri; content:"/jsp/snp/"; content:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:2101108; rev:14; metadata:created_at 2010_09_23, cve CVE_2000_0760, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~root access"; flow:to_server,established; http.uri; content:"/~root"; nocase; classtype:attempted-recon; sid:2101145; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htaccess access"; flow:to_server,established; http.uri; content:".htaccess"; nocase; classtype:attempted-recon; sid:2101129; rev:9; metadata:created_at 2010_09_23, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/ksh"; nocase; classtype:web-application-attack; sid:2011467; rev:6; metadata:created_at 2010_09_10, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/tsh"; nocase; classtype:web-application-attack; sid:2011466; rev:6; metadata:created_at 2010_09_10, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/sh"; nocase; classtype:web-application-attack; sid:2011465; rev:8; metadata:created_at 2010_10_13, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/csh"; nocase; classtype:web-application-attack; sid:2011464; rev:5; metadata:created_at 2010_09_10, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER DELETE attempt"; flow:to_server,established; http.method; content:"DELETE"; nocase; reference:nessus,10498; classtype:web-application-activity; sid:2101603; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS INDEX_ALLOCATION Auth Bypass Attempt"; flow:established,to_server; http.uri; content:"|3a|$INDEX_ALLOCATION"; nocase; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2012-June/087269.html; classtype:bad-unknown; sid:2014886; rev:3; metadata:created_at 2012_06_11, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; http.uri; content:"@@version"; nocase; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:3; metadata:created_at 2012_06_14, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href browser redirect"; flow:established,to_server; http.uri; content:"/rds-help/advanced/deferredView.jsp?"; nocase; content:"href="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014986; rev:3; metadata:created_at 2012_06_29, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/rds-help/advanced/deferredView.jsp?"; nocase; content:"href="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|javascript)/Ri"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014987; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; http.uri; content:"BULK"; nocase; content:"INSERT"; nocase; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; classtype:web-application-attack; sid:2011035; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; http.uri; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; content:".php"; nocase; distance:0; classtype:bad-unknown; sid:2015518; rev:6; metadata:created_at 2012_07_24, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; http.uri; content:"python "; nocase; classtype:web-application-attack; sid:2101350; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; http.uri; content:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:2100952; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; http.uri; content:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:2100951; rev:14; metadata:created_at 2010_09_23, cve CVE_1999_0386, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100958; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; http.uri; content:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100959; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100961; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100965; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; http.uri; content:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:2100994; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; http.uri; content:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:2101016; rev:16; metadata:created_at 2010_09_23, cve CVE_2000_0778, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; http.uri; content:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:14; metadata:created_at 2010_09_23, cve CVE_1999_1538, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; http.uri; content:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:2101403; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_0737, updated_at 2020_04_22;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; http.stat_code; content:"403"; classtype:attempted-recon; sid:2101201; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Brutus Scan Inbound"; flow:established,to_server; http.user_agent; content:"Brutus/AET"; classtype:attempted-recon; sid:2015703; rev:4; metadata:created_at 2012_09_17, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"POST"; http.uri; content:"/wp-login.php"; nocase; http.request_body; content:"log|3d|"; content:"pwd|3d|"; classtype:attempted-recon; sid:2014020; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_12_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Image Content-Type with Obfuscated PHP (Seen with C99 Shell)"; flow:from_server,established; http.content_type; content:"image/"; startswith; file.data; content:"eval(gzinflate(base64_decode("; distance:0; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2012/10/how-far-phpc99shell-malware-can-go-from.html; classtype:attempted-user; sid:2015755; rev:4; metadata:created_at 2012_10_02, updated_at 2020_04_22, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebResource.axd"; nocase; content:!"&t="; nocase; content:!"&amp|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:7; metadata:created_at 2010_10_13, updated_at 2020_04_22;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected"; flow:established,from_server; http.cookie; content:"visitz="; file.data; content:"FaTaLisTiCz_Fx"; classtype:web-application-activity; sid:2015811; rev:3; metadata:created_at 2012_10_18, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data\; name=|22|a|22|"; content:"form-data\; name=|22|c|22|"; content:"form-data\; name=|22|p1|22|"; classtype:attempted-user; sid:2015920; rev:3; metadata:created_at 2012_11_21, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|from|22|"; content:"form-data|3b| name=|22|realname|22|"; content:"form-data|3b| name=|22|amount|22|"; classtype:web-application-activity; sid:2015924; rev:3; metadata:created_at 2012_11_24, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|formSubmited|22|"; content:"form-data|3b| name=|22|scriptPassword|22|"; classtype:misc-activity; sid:2015937; rev:8; metadata:created_at 2012_11_27, updated_at 2020_04_22;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PIWIK Backdoored Version calls home"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/x.php"; http.host; content:"prostoivse.com"; endswith; http.request_body; content:"reff="; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:5; metadata:created_at 2012_11_28, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - JSP File Admin - POST Structure - dir"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dir="; content:"&sort="; content:"&command="; content:"&Submit="; classtype:attempted-user; sid:2016153; rev:4; metadata:created_at 2013_01_04, updated_at 2020_04_22;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion adminapi access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/adminapi"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016183; rev:5; metadata:created_at 2013_01_09, updated_at 2020_04_22;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion componentutils access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/componentutils"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016182; rev:7; metadata:created_at 2013_01_09, updated_at 2020_04_22;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/administrator"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:6; metadata:created_at 2013_01_09, updated_at 2020_04_22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Non-Standard HTML page in Joomla /com_content/ dir"; flow:established,to_server; http.uri; content:"/components/com_content/"; content:!"index.html"; nocase; within:10; content:".html"; nocase; distance:0; classtype:bad-unknown; sid:2016311; rev:7; metadata:created_at 2013_01_30, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WSO WebShell Activity POST structure 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:" name=|22|c|22|"; content:"name=|22|p1|22|"; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/i"; classtype:attempted-user; sid:2016354; rev:4; metadata:created_at 2013_02_05, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure"; flow:established,to_server; content:"|0d 0a 0d 0a|act="; fast_pattern; http.method; content:"POST"; http.request_body; content:"act="; depth:4; content:"&d="; within:20; classtype:attempted-user; sid:2016516; rev:3; metadata:created_at 2013_03_04, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin*="; flow:established,to_server; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016575; rev:4; metadata:created_at 2013_03_14, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin*="; flow:established,to_client; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016576; rev:3; metadata:created_at 2013_03_14, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"?id="; content:"&msg="; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:6; metadata:created_at 2012_01_23, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mssql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"mssql_query"; classtype:bad-unknown; sid:2016664; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mssql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"mssql_query"; classtype:bad-unknown; sid:2016665; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (pgsql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"pgsql_query"; classtype:bad-unknown; sid:2016666; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (pgsql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"pgsql_query"; classtype:bad-unknown; sid:2016667; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mysql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"mysql_query"; classtype:bad-unknown; sid:2016668; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mysql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"mysql_query"; classtype:bad-unknown; sid:2016669; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"SqlException"; classtype:bad-unknown; sid:2016670; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"SqlException"; classtype:bad-unknown; sid:2016671; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"error in your SQL syntax"; classtype:bad-unknown; sid:2016673; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - netsh firewall"; flow:established,to_server; http.request_body; content:"netsh"; nocase; fast_pattern; content:"firewall"; within:15; classtype:bad-unknown; sid:2016681; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - reg HKEY_LOCAL_MACHINE"; flow:established,to_server; http.request_body; content:"reg"; nocase; content:"HKEY_LOCAL_MACHINE"; nocase; within:80; classtype:bad-unknown; sid:2016682; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - wget http - POST"; flow:established,to_server; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:bad-unknown; sid:2016683; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ERROR syntax error at or near)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"ERROR|3a|  syntax error at or near"; classtype:bad-unknown; sid:2016674; rev:4; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"ERROR|3a|  syntax error at or near"; classtype:bad-unknown; sid:2016675; rev:4; metadata:created_at 2013_03_27, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - Haxplorer URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=dir&dir="; classtype:attempted-user; sid:2016761; rev:3; metadata:created_at 2013_04_16, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=con"; classtype:attempted-user; sid:2016762; rev:3; metadata:created_at 2013_04_17, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"mfunc"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/i"; classtype:attempted-user; sid:2016788; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"mclude"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/i"; classtype:attempted-user; sid:2016789; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"dynamic-cached-content"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/i"; classtype:attempted-user; sid:2016790; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion password.properties access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"password.properties"; nocase; reference:url,cxsecurity.com/issue/WLB-2013050065; classtype:web-application-attack; sid:2016836; rev:4; metadata:created_at 2013_05_08, updated_at 2020_04_24;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER  ColdFusion path disclosure to get the absolute path"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/administrator/analyzer/index.cfm"; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,www.exploit-db.com/exploits/25305/; classtype:web-application-attack; sid:2016841; rev:5; metadata:created_at 2013_05_09, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion scheduletasks access"; flow:established,to_server; http.uri; content:"/CFIDE/administrator/scheduler/scheduletasks.cfm"; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016842; rev:3; metadata:created_at 2013_05_14, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion scheduleedit access"; flow:established,to_server; http.uri; content:"/CFIDE/administrator/scheduler/scheduleedit.cfm"; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016843; rev:3; metadata:created_at 2013_05_14, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTPing Usage Inbound"; flow:established,to_server; http.user_agent; content:"HTTPing"; depth:7; reference:url,www.vanheusden.com/httping/; classtype:policy-violation; sid:2016845; rev:4; metadata:created_at 2013_05_14, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013"; flow:established,to_server; http.uri; content:"/phppath/php"; pcre:"/^\b/R"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:attempted-admin; sid:2016983; rev:3; metadata:created_at 2013_06_06, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)

alert http any any -> any any (msg:"ET WEB_SERVER WebShell - GODSpy - Cookie"; flow:established; http.cookie; content:"godid="; classtype:trojan-activity; sid:2017085; rev:3; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSPy - Auth Creds"; flow:established,to_server; http.request_body; content:"ctr="; content:"haz=pasa"; classtype:trojan-activity; sid:2017088; rev:3; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - raiz"; flow:established,to_server; http.uri; content:".asp?raiz="; classtype:trojan-activity; sid:2017090; rev:3; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2020_04_24;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"Leaf PHPMailer</title>"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2030016; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Critical, updated_at 2020_04_24;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"<title>D3V1l H4X0R Priv8 Shell"; fast_pattern; classtype:web-application-attack; sid:2030018; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_24;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"Upload File : <input type=|22|file|22 20|name=|22|file|22|"; fast_pattern; nocase; content:">Name</center></td>"; nocase; distance:0; content:">Size</center></td>"; nocase; distance:0; content:">Permissions</center></td>"; nocase; distance:0; content:">Options</center></td>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; classtype:web-application-attack; sid:2030020; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_24;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"<title>-:- Stupidc0de Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2030022; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; http.request_body; content:"|0D 0A|"; content:"<%"; within:5; fast_pattern; content:"%>"; distance:0; pcre:"/<%[\x00-\x7f]{20}/"; classtype:trojan-activity; sid:2017260; rev:12; metadata:created_at 2013_07_31, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; http.request_body; content:"4d5a"; nocase; content:"50450000"; distance:0; classtype:bad-unknown; sid:2017293; rev:3; metadata:created_at 2013_08_07, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible OpenX Backdoor Backdoor Access POST to flowplayer"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/flowplayer-3.1.1.min.js"; nocase; reference:url,blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html; classtype:trojan-activity; sid:2017280; rev:4; metadata:created_at 2013_08_06, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"txtpath="; depth:8; content:"&cmd="; classtype:trojan-activity; sid:2017392; rev:3; metadata:created_at 2013_08_28, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?upload=@&txtpath="; http.request_body; content:"Upload !"; classtype:trojan-activity; sid:2017393; rev:3; metadata:created_at 2013_08_28, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell in POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"eval"; content:"mcrypt_decrypt"; distance:0; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017641; rev:5; metadata:created_at 2013_10_28, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=system"; nocase; content:"j_password=Passw0rd"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017803; rev:5; metadata:created_at 2013_12_06, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=system"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017804; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Monitor Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=monitor"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017805; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Operator Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=operator"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017806; rev:3; metadata:created_at 2013_12_06, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt"; flow:to_server,established; http.uri; content:"select"; nocase; content:"mysql.user"; nocase; distance:1; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017807; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access"; flow:to_server,established; http.uri; content:"information_schema"; nocase; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017808; rev:3; metadata:created_at 2013_12_06, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; http.request_body; content:"work_dir="; content:"command="; content:"submit_btn=Execute+Command"; classtype:web-application-attack; sid:2017952; rev:3; metadata:created_at 2014_01_11, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; http.uri; content:"/reports/rwservlet?"; nocase; content:"JOBTYPE"; nocase; content:"rwurl"; nocase; content:"URLPARAMETER"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ri"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:3; metadata:created_at 2014_02_07, cve CVE_2012_3152, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Recon-ng User-Agent"; flow: established,to_server; http.user_agent; content:"Recon-ng"; reference:url,itbucket.org/LaNMaSteR53/recon-ng/overview; classtype:attempted-recon; sid:2018118; rev:4; metadata:created_at 2014_02_12, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER Possible AntSword Webshell Commands Inbound"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Response.Write(|25|22"; within:50; nocase; content:"eval(System.Text.Encoding.GetEncoding(|25|22"; nocase; distance:0; content:"|25|22).GetString(System.Convert.FromBase64String(|25|22"; nocase; distance:0; content:")|25|3BResponse.End()|25|3B&"; nocase; distance:0; fast_pattern; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030037; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_28;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030060; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_29;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"SCRIPT MAILER INBOX"; content:">SMTP Login:</font></div>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030062; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_29;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Check Accessed on Internal Server"; flow:established,to_client; file.data; content:"Upload is <b><"; content:"Check  Mailling ..<br>"; nocase; distance:0; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_29;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<form method=post style=|22|font-family:fantasy|3b 22|>"; content:"Password: <input type=password name=pass style=|22|background-color|3a|whitesmoke|3b|border|3a|1px solid #FFF|3b 22|><input type=submit value='>>' style=|22|border|3a|none|3b|background-color|3a|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030066; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_29;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Crawler"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.user_agent; content:"PHPCrawl"; depth:8; reference:url,phpcrawl.cuab.de/; classtype:attempted-user; sid:2018607; rev:3; metadata:created_at 2014_06_26, updated_at 2020_04_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Adobe Flash Player Rosetta Flash compressed CWS in URI"; flow:established,to_server; urilen:>70; http.uri; content:"callback=CWS"; nocase; pcre:"/^[a-z0-9\.\_]{5}hC[a-z0-9\.\_]{50}/Ri"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018740; rev:3; metadata:created_at 2014_07_18, cve CVE_2014_4671, updated_at 2020_04_30;)

alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Genol Shell"; nocase; fast_pattern; content:"><b>Uname|20 3a 20|Linux|20|"; nocase; distance:0; classtype:web-application-attack; sid:2030074; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_05_01, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title> Mailer Created By"; nocase; fast_pattern; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|Enviar|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>alexusMailer 2.0</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Stolen Credentials Accessed on Internal Server"; flow:established,to_client; file.data; content:"---------0nline Inf0---------------"; nocase; fast_pattern; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:web-application-attack; sid:2030080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Stolen Credentials Accessed on Internal Server"; flow:established,to_client; file.data; content:">E-MAIL INFORMATION</font> ]-_-_-_-_-_-_-"; nocase; fast_pattern; content:">INFO VICTIM</font> ]-_-_-_-_-_-_-"; nocase; distance:0; classtype:web-application-attack; sid:2030082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Cpanel Cracker Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>HEx CPanel Cracker"; nocase; fast_pattern; content:"<strong>CPanelCracker Script"; nocase; distance:0; classtype:web-application-attack; sid:2030084; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Pro Mailer V2</title>"; nocase; classtype:web-application-attack; sid:2030086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_start_job attempt"; flow:to_server,established; http.uri; content:"sp_start_job"; nocase; classtype:attempted-user; sid:2010004; rev:7; metadata:created_at 2010_07_30, updated_at 2020_05_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; http.user_agent; content:"CZ32ts"; nocase; reference:url,www.Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2010621; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit"; flow:established,to_server; http.uri; content:"/bin/bash"; classtype:web-application-attack; sid:2010667; rev:7; metadata:created_at 2010_07_30, updated_at 2020_05_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Scan Precursor"; flow:established,to_server; http.uri; content:"/thisdoesnotexistahaha.php"; classtype:web-application-attack; sid:2010720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; http.user_agent; content:"Casper Bot"; nocase; classtype:web-application-attack; sid:2011175; rev:8; metadata:created_at 2010_07_30, updated_at 2020_05_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DD-WRT Information Disclosure Attempt"; flow:established,to_server; flowbits:set,et.ddwrt.infodis; http.uri; content:"/Info.live.htm"; nocase; reference:url,www.exploit-db.com/exploits/15842/; classtype:attempted-recon; sid:2012116; rev:6; metadata:created_at 2010_12_30, updated_at 2020_05_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI"; flow:established,to_server; http.uri; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012150; rev:4; metadata:created_at 2011_01_06, updated_at 2020_05_04;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Component SQLi Attempt"; flow:established,to_server; http.uri; content:"option=com_"; nocase; content:"union"; nocase; distance:0; content:"select"; nocase; distance:0; content:"from"; nocase; distance:0; content:"jos_users"; distance:0; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:4; metadata:created_at 2012_12_05, updated_at 2020_05_08;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie"; flow:established,to_server; http.cookie; content:"|28 29 20 7b|"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019239; rev:5; metadata:created_at 2014_09_25, cve CVE_2014_6271, updated_at 2020_05_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WEB-PHP phpinfo access"; flow:to_server,established; http.uri; content:"/phpinfo.php"; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:2019526; rev:5; metadata:created_at 2010_09_23, cve CVE_2002_1149, updated_at 2020_05_13;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER printenv access"; flow:to_server,established; http.uri; content:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:2101877; rev:11; metadata:created_at 2010_09_23, cve CVE_2000_0868, updated_at 2020_05_13;)

alert http $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt"; flow:established,to_server; http.uri; content:"search"; nocase; content:"source="; nocase; distance:0; content:"script_fields"; nocase; distance:0; content:"import"; distance:0; nocase; content:"java."; nocase; distance:0; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:2018495; rev:4; metadata:created_at 2014_05_21, cve CVE_2014_3120, updated_at 2020_05_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"php|3a 2f 2f|input"; fast_pattern; http.request_body; content:"<?"; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:4; metadata:created_at 2014_11_25, signature_severity Major, updated_at 2020_05_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Double Encoded Characters in URI (../)"; flow:to_server,established; http.uri.raw; content:"%252E%252E%252F"; nocase; classtype:misc-attack; sid:2019880; rev:5; metadata:created_at 2014_12_06, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Insomnia Shell HTTP Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx"; http.request_body; content:"txtRemoteHost="; fast_pattern; content:"txtRemotePort="; distance:0; content:"txtBindPort="; distance:0; content:"txtPipeName="; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019899; rev:3; metadata:created_at 2014_12_09, signature_severity Major, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; http.header; content:"QHN5c3Rl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:7; metadata:created_at 2011_11_21, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MorXploit Shell Command"; flow:established,to_server; http.uri; content:"?cmd=ZXhpdA=="; fast_pattern; http.user_agent; content:"Mozilla 5"; startswith; reference:url,seclists.org/fulldisclosure/2014/Nov/78; classtype:bad-unknown; sid:2019951; rev:3; metadata:created_at 2014_12_16, updated_at 2020_05_14;)

alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker"; flow:established,to_server; http.request_body; content:"user=CRACKER"; classtype:trojan-activity; sid:2020097; rev:3; metadata:created_at 2015_01_06, signature_severity Major, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?"; content:"system|28|"; distance:0; classtype:web-application-attack; sid:2020102; rev:5; metadata:created_at 2015_01_07, signature_severity Major, updated_at 2020_05_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WPScan User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"WPScan v"; depth:8; reference:url,github.com/wpscanteam/wpscan; classtype:web-application-attack; sid:2020338; rev:4; metadata:created_at 2015_01_30, signature_severity Minor, updated_at 2020_05_15;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - POSTed"; flow:established,to_server; http.request_body; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020556; rev:3; metadata:created_at 2015_02_24, signature_severity Major, updated_at 2020_05_15;)

alert http any any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie"; flow:established,to_server; http.header; content:"ing|3a| identity|0D 0A|Host|3a|"; http.cookie; content:"SESS="; content:"|3B| SID="; distance:0; content:"|3B| PREF="; distance:0; content:"|3B|SSID="; distance:0; classtype:trojan-activity; sid:2020557; rev:3; metadata:created_at 2015_02_24, signature_severity Major, updated_at 2020_05_15;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Create - POST Structure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Fname="; depth:6; content:"&cmd="; classtype:trojan-activity; sid:2020572; rev:4; metadata:created_at 2015_02_25, signature_severity Major, updated_at 2020_05_15;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Uploader Accessed on Internal Server"; flow:established,to_client; file.data; content:"PHP Uploader - By Phenix-TN & Mr.Anderson"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|File Reload|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030213; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_26;)

alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Witch3r Mini Shell"; nocase; fast_pattern; content:"Mini-Shell</h1></font>"; nocase; distance:0; classtype:web-application-attack; sid:2030217; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_05_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - net user"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net"; nocase; content:!"work"; within:4; nocase; content:"user"; nocase; within:11; content:!"-agent"; nocase; within:6; pcre:"/net(?:%(?:25)?20|\s)+user/i"; classtype:bad-unknown; sid:2016680; rev:7; metadata:created_at 2013_03_27, updated_at 2020_06_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Email Spoofing Tool Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Email Spoofer"; content:"id=|22|title|22|>Email Spoofer"; content:"id=|22|from|22 20|placeholder=|22 20|Email Spoofed"; content:"id=|22|name|22 20|placeholder=|22|Name Spoofed"; content:"var mailist = $(|22|#to|22|).val().split("; classtype:web-application-attack; sid:2030246; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_03, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_06_03;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; http.request_body; content:!"&date="; content:"code="; depth:5; content:"&submit="; distance:0; classtype:trojan-activity; sid:2017389; rev:7; metadata:created_at 2013_08_28, signature_severity Major, updated_at 2020_06_09;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>anaLTEAM"; nocase; fast_pattern; content:"name=|22|command|22 20|value=|22|Crotz|22|"; nocase; distance:0; content:"value=|22|Upload Bos"; nocase; distance:0; classtype:web-application-attack; sid:2030319; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_06_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>b374k"; nocase; fast_pattern; content:"class='inputz' type='password"; nocase; distance:0; content:"class='inputzbut' type='submit'"; nocase; distance:0; classtype:web-application-attack; sid:2030321; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_06_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title> By Gentoo"; nocase; fast_pattern; content:"<h2>Gentoo @ MyHack"; nocase; distance:0; content:"function ChMod(chdir, file) {var o = prompt('Chmod:"; nocase; distance:0; classtype:web-application-attack; sid:2030323; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_06_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'></form></pre>"; fast_pattern; classtype:web-application-attack; sid:2030325; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_06_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form|20 20 20|method=|20 22|post|22 20|action=|20 22 22|>|20|<input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value=|20 22|&gt|3b 22|/>"; fast_pattern; classtype:web-application-attack; sid:2030327; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_06_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Compromised Webserver Retriving Inject"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; pcre:"/^\/blog\/\?[a-z]+&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\x3a\d{1,5})?$/"; classtype:trojan-activity; sid:2022485; rev:3; metadata:created_at 2016_02_03, signature_severity Major, updated_at 2020_06_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Custom Content Type Manager WP Backdoor Access"; flow:established,to_server; http.uri; content:"/plugins/custom-content-type-manager/auto-update.php"; fast_pattern; nocase; reference:url,blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html; classtype:trojan-activity; sid:2022596; rev:4; metadata:created_at 2016_03_07, signature_severity Major, updated_at 2020_06_24;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Predator the Thief Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Predator The Thief"; fast_pattern; nocase; content:"<form method=|22|POST|22 20|class=|22|sign-box|22|"; nocase; distance:0; content:"<input type=|22|text|22 20|class=|22|form-control|22 20|name=|22|login|22 20|value=|22 22 20|placeholder="; nocase; distance:0; content:"<input type=|22|password|22 20|class=|22|form-control|22 20|name=|22|password|22 20|placeholder="; nocase; distance:0; classtype:web-application-attack; sid:2030447; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, signature_severity Critical, updated_at 2020_07_03;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cordoba Mailer</title>"; nocase; classtype:web-application-attack; sid:2030473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_06, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FiercePhish Password Prompt Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FiercePhish"; fast_pattern; content:"/fiercephish_logo.png|22 20|alt=|22|FiercePhish"; content:"placeholder=|22|Username|22|"; content:"<input type=|22|password|22|"; classtype:web-application-attack; sid:2030499; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Minor, updated_at 2020_07_13;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=|22|POST|22|>|0d 0a|"; content:"Password|3a 0d 0a|"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|auth|22 20|value=|22|"; distance:0; content:"<input type=|22|password|22 20|name=|22|password|22|>|0d 0a|"; distance:0; content:"<input type=|22|submit|22 20|value=|22|>>|22|>|0d 0a|"; fast_pattern; distance:0; classtype:web-application-attack; sid:2030501; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_07_13;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M1"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 22 7c|"; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022846; rev:3; metadata:created_at 2016_06_01, cve CVE_2016_5118, signature_severity Major, updated_at 2020_07_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M2"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022847; rev:3; metadata:created_at 2016_06_01, cve CVE_2016_5118, signature_severity Major, updated_at 2020_07_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"name=|22|author|22 20|content=|22|Mr.IN130X"; content:"Mini Shell</title>"; fast_pattern; classtype:web-application-attack; sid:2030536; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|"; content:"type=submit name='watching' value='submit' style='border|3a|none|3b|background-color|3a|#"; fast_pattern; classtype:web-application-attack; sid:2030538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>"; content:"Password: <input type=password name=pass><input type=submit value='>>'>"; fast_pattern; classtype:web-application-attack; sid:2030540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"cmd{background-color|3a|"; content:"SCROLLBAR-DARKSHADOW-COLOR|3a|"; distance:0; content:"<body style=|22|FILTER|3a 20|progid|3a|DXImageTransform.Microsoft.Gradient("; distance:0; content:"gradientType=0,startColorStr="; content:"<input name='envlpass' type='password'"; fast_pattern; classtype:web-application-attack; sid:2030542; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>:: Mailer Inbox"; fast_pattern; content:"document.getElementById(|22|emails|22|"; distance:0; content:"document.getElementById(|22|txtml|22|"; distance:0; classtype:web-application-attack; sid:2030544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_07_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"Priv8 (Mailer Inbox Sender"; distance:0; content:"SMTP SETUP</font>"; distance:0; classtype:web-application-attack; sid:2030546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Cpanel Cracker Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">CPANEL CRACKER</font><font color="; fast_pattern; content:"color=white>--==[[Greetz to]]==--"; distance:0; content:"####### Coded By"; distance:0; classtype:web-application-attack; sid:2030554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_17, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_07_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ALFA TEaM Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"ALFA TEaM Shell"; nocase; fast_pattern; pcre:"/^\s*\-\s*/R"; classtype:web-application-attack; sid:2029866; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, signature_severity Critical, updated_at 2020_07_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>[ RC-SHELL v"; nocase; fast_pattern; classtype:web-application-attack; sid:2030591; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_24;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|0d 0a 09|<form method=|22|POST|22|>|0d 0a 09 09|Password|3a 20 0d 0a 09 09|"; nocase; content:"name=|22|password|22|>|0d 0a 09 09|<input type=|22|submit|22 20|value=|22|>>|22|>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030593; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_24;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Website Ransomnote Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:!"<html"; nocase; content:"<p>We will systematically go through a series of steps of totally damaging your reputation"; nocase; content:"database will be leaked or sold to the highest bidder"; distance:0; nocase; content:"fault thusly damaging your reputation"; distance:0; fast_pattern; nocase; classtype:web-application-attack; sid:2030596; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_07_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/w00tw00t."; nocase; depth:10; classtype:attempted-recon; sid:2010794; rev:9; metadata:created_at 2010_07_30, updated_at 2020_07_27;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>k2ll33d"; nocase; fast_pattern; content:"function tukar("; distance:0; nocase; classtype:web-application-attack; sid:2030608; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_29, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_07_29;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Expression Injection"; flow:to_server,established; http.uri; content:"|24 7b|"; content:"|25 7b|"; distance:0; content:"|7d|"; distance:0; pcre:"/\${\s*?%{/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:web-application-attack; sid:2023535; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2016_11_18, cve CVE_2013_2135, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Select Sleep Time Delay"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SLEEP|28|"; nocase; distance:0; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016935; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; http.header; content:"JGFyZ3MgPSBh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013943; rev:7; metadata:created_at 2011_11_22, updated_at 2020_08_04;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; http.header; content:"QHB5dGhvbl9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013942; rev:6; metadata:created_at 2011_11_22, updated_at 2020_08_04;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)"; flow:to_server,established; http.header; content:"If|3a 20 3c|"; pcre:"/^If\x3a\x20\x3c[^\r\n>]+?(?:[\x7f-\xff])/mi"; reference:url,github.com/edwardz246003/IIS_exploit/blob/master/exploit.py; classtype:attempted-user; sid:2024107; rev:3; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2017_03_28, cve CVE_2017_7269, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic Webshell Accessed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.referer; content:".php"; endswith; http.request_body; content:"password="; startswith; content:"&action=login&hide="; fast_pattern; distance:0; content:"&username="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/; classtype:web-application-attack; sid:2030650; rev:1; metadata:attack_target Web_Server, created_at 2020_08_05, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic Webshell Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?ganteng"; endswith; fast_pattern; http.referer; content:".php?ganteng"; endswith; http.request_body; content:"key=password&method="; startswith; content:"&submit="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/; classtype:web-application-attack; sid:2030651; rev:1; metadata:attack_target Web_Server, created_at 2020_08_05, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like planetwork)"; flow:established,to_server; http.user_agent; content:"plaNETWORK Bot"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; sid:2011243; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_06;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER UA WordPress probable DDOS-Attack"; flow:established,to_server; http.user_agent; content:"Wordpress/"; depth:10; reference:url,thehackernews.com/2013/09/thousands-of-wordpress-blogs.html; reference:url,pastebin.com/NP64hTQr; classtype:bad-unknown; sid:2017528; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_09_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_08_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post><input type=password name=ps><input type=submit value='>>'></form>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030659; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_08_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password<br><input type=password name=pass"; nocase; content:"background-color|3a|whitesmoke|3b|border"; distance:0; content:"type=submit name='watching' value='Login'"; distance:0; fast_pattern; classtype:web-application-attack; sid:2030661; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_08_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER OptionsBleed (CVE-2017-9798)"; flow:from_server; http.header; content:"Allow|3a 20|"; pcre:"/^[^\n]+(?:[^ -~\x0d\x0a]|,\x20*,)/R"; reference:cve,CVE-2017-9798; classtype:misc-activity; sid:2024760; rev:5; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_09_19, deployment Datacenter, performance_impact Significant, signature_severity Minor, updated_at 2020_08_12;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body"; flow:established,to_server; threshold:type limit, track by_src, seconds 3600, count 1; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:web-application-attack; sid:2024930; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_10_26, deployment Datacenter, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2023_06_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)"; flow:from_server,established; http.stat_code; content:"403"; file.data; content:"<script"; nocase; depth:512; content:!"location.replace|28 22|https|3a 2f 2f|block.opendns.com"; distance:0; classtype:web-application-attack; sid:2010515; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell Download"; flow:established,to_client; file_data; content:"eval"; content:"mcrypt_decrypt"; within:30; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017640; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2013_10_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:26; metadata:created_at 2010_07_30, updated_at 2020_08_20;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>"; content:"ASPX Shell"; fast_pattern; nocase; content:"</title>"; distance:0; classtype:trojan-activity; sid:2017183; rev:5; metadata:created_at 2013_07_24, signature_severity Major, updated_at 2020_08_19, reviewed_at 2024_02_07;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SmailMax PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"SmailMax SMTP Mailer</title>"; fast_pattern; content:"SERVER SETUP</font>"; content:"SMTP Login:</font>"; classtype:web-application-attack; sid:2030228; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_28, deployment Perimeter, signature_severity Critical, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT USER SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"USER"; nocase; pcre:"/SELECT[^a-z]+USER/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2010963; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"</script>"; nocase; reference:url,ha.ckers.org/xss.html; classtype:web-application-attack; sid:2009714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"select"; nocase; distance:0; fast_pattern; content:"from"; nocase; within:20; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022816; rev:4; metadata:created_at 2016_05_17, signature_severity Major, updated_at 2020_08_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"VERSION"; nocase; distance:1; reference:url,support.microsoft.com/kb/321185; classtype:web-application-attack; sid:2011037; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; http.uri; content:".asp|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010592; rev:9; metadata:created_at 2010_07_30, cve CVE_2009_4444, updated_at 2020_08_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)"; flow:to_server,established; http.uri; content:"?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; classtype:attempted-recon; sid:2011141; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt"; flow:established,to_server; http.uri; content:"/system32/"; nocase; classtype:attempted-recon; sid:2009362; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M2"; flow:to_server,established; http.header; content:"BwYXNzdGhydSgn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025593; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, malware_family weevely, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M3"; flow:to_server,established; http.header; content:"AcGFzc3RocnUoJ"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025594; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, malware_family weevely, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cookie Based BackDoor Used in Drupal Attacks"; flow:established,to_server; http.cookie; content:"preg_replace"; nocase; reference:url,www.kahusecurity.com/posts/drupal_7_sql_injection_info.html; classtype:attempted-user; sid:2019627; rev:4; metadata:created_at 2014_11_03, updated_at 2020_08_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.jsf"; http.request_body; content:"java.util.HashMap"; content:"javax.management.openmbean.TabularDataSupport"; reference:cve,2017-12557; reference:url,www.exploit-db.com/exploits/45952; classtype:web-application-attack; sid:2026719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_12_10, cve CVE_2017_12557, deployment Datacenter, signature_severity Major, updated_at 2020_08_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER jQuery File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; http.request_body; content:"name=|22|files|22 3b|"; content:"<?php"; nocase; reference:url,github.com/lcashdol/Exploits/tree/master/CVE-2018-9206; reference:cve,2018-9206; classtype:web-application-attack; sid:2026552; rev:4; metadata:affected_product PHP, attack_target Server, created_at 2018_10_25, cve CVE_2018_9206, deployment Datacenter, signature_severity Major, updated_at 2020_08_27;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 25 40 20|Page|20|Language=|22|Jscript|22 25 3e 3c 25|eval|28|"; fast_pattern; content:"FromBase64String"; distance:0; nocase; content:"|25 3e|"; distance:0; classtype:trojan-activity; sid:2027393; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_05_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ThinkPHP RCE Exploitation Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index"; content:"/invokefunction&function=call_user_func_array"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/45978; classtype:attempted-admin; sid:2026731; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_12_14, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Major, tag ThinkPHP, updated_at 2020_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Observed FxCodeShell Web Shell Password"; flow:established,to_server; http.request_body; content:"FxxkMyLie1836710Aa"; classtype:trojan-activity; sid:2027514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, malware_family FxCodeShell, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER 16Shop Phishing Kit Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>16SHOP"; fast_pattern; nocase; content:"<label>Public Key"; nocase; distance:0; content:"<label>Password"; nocase; distance:0; classtype:web-application-attack; sid:2029915; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Critical, updated_at 2020_09_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; http.uri; content:"/servlet/JavascriptProbe"; nocase; content:"documentElement=true"; nocase; content:"regexp=true"; nocase; content:"frames=true"; reference:url,www.securityfocus.com/bid/34454/info; classtype:web-application-attack; sid:2010622; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - *.tar.gz in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:".tar.gz"; nocase; classtype:bad-unknown; sid:2016992; rev:4; metadata:created_at 2013_06_08, updated_at 2020_09_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER Tomcat null byte directory listing attempt"; flow:to_server,established; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2102061; rev:8; metadata:created_at 2010_09_23, cve CVE_2003_0042, updated_at 2020_09_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/i"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:9; metadata:created_at 2010_07_30, cve CVE_2009_2765, updated_at 2020_09_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ScriptResource.axd"; nocase; content:!"&t="; nocase; content:!"&amp|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6; metadata:created_at 2010_10_13, updated_at 2020_09_13;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Aribitrary File Upload Vulnerability in WP Mobile Detector"; flow:from_client,established; http.uri; content:"/wp-content/plugins/wp-mobile-detector/"; content:"resize.php?src=http"; fast_pattern; reference:url,pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/; classtype:attempted-user; sid:2022860; rev:4; metadata:created_at 2016_06_03, signature_severity Major, updated_at 2020_09_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; flowbits:set,ET.GOOTKIT; http.method; content:"GET"; http.uri; content:"/ftp"; nocase; http.header; content:!"www.trendmicro.com"; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest"; nocase; startswith; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; classtype:web-application-attack; sid:2011290; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/imc/login.jsf"; nocase; content:"loginForm"; nocase; content:"javax.faces.ViewState="; nocase; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; classtype:web-application-attack; sid:2011145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; content:"email|3D|"; nocase; content:"hostname|3D|"; nocase; content:"default|5F|domain|3D|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/37248/info; classtype:web-application-attack; sid:2010462; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"onmouseover="; nocase; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; classtype:web-application-attack; sid:2009715; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; classtype:attempted-user; sid:2010460; rev:7; metadata:created_at 2010_07_30, cve CVE_2008_2165, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cmd.exe"; nocase; classtype:attempted-recon; sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/support_param.html/config"; nocase; content:"Admin_Name=&Admin_Phone="; nocase; content:"Product_URL="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/i"; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; classtype:web-application-attack; sid:2010919; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2009_2684, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; http.uri; content:".aspx|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010593; rev:10; metadata:created_at 2010_07_30, cve CVE_2009_4444, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_cmdshell"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; classtype:web-application-attack; sid:2009815; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_servicecontrol"; nocase; pcre:"/(start|stop|continue|pause|querystate)/i"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; classtype:web-application-attack; sid:2009816; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"sp_adduser"; nocase; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; classtype:web-application-attack; sid:2009817; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_reg"; nocase; pcre:"/xp_reg(read|write|delete)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; classtype:web-application-attack; sid:2009818; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_fileexist"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; classtype:web-application-attack; sid:2009819; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_enumerrorlogs"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; classtype:web-application-attack; sid:2009820; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_readerrorlogs"; nocase; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; classtype:web-application-attack; sid:2009822; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_"; nocase; content:"_enum"; nocase; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; classtype:web-application-attack; sid:2009823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; classtype:attempted-recon; sid:2011142; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; classtype:attempted-recon; sid:2011143; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; classtype:attempted-recon; sid:2011144; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=https|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F/i"; classtype:web-application-attack; sid:2009152; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftp|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; classtype:web-application-attack; sid:2009153; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftps\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; classtype:web-application-attack; sid:2009155; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; http.uri; content:"ALTER"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; classtype:web-application-attack; sid:2010084; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; http.uri; content:"DROP"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; classtype:web-application-attack; sid:2010085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; http.uri; content:"CREATE"; nocase; pcre:"/^\s+(database|procedure|table|column|directory)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; classtype:web-application-attack; sid:2010086; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"CUR"; nocase; distance:0; pcre:"/^(?:DATE|TIME)/Ri"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; classtype:web-application-attack; sid:2010966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"TABLES"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; classtype:web-application-attack; sid:2010967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"VALUES"; nocase; distance:0; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); classtype:web-application-attack; sid:2011039; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; http.uri; content:"BENCHMARK("; nocase; content:")"; pcre:"/BENCHMARK\x28[0-9].+\x29/i"; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; classtype:web-application-attack; sid:2011041; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_layouts/help.aspx"; nocase; content:"cid0="; nocase; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; classtype:web-application-attack; sid:2011073; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2010_0817, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; http.uri; content:"/utility.cgi?testType="; nocase; content:"IP="; nocase; content:"|7C 7C|"; pcre:"/\x7C\x7C.+[a-z]/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; classtype:attempted-admin; sid:2010159; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"INSTR"; nocase; pcre:"/SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; classtype:web-application-attack; sid:2010284; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|0D 0A|Location|3A|"; nocase; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; classtype:web-application-attack; sid:2011763; rev:7; metadata:created_at 2010_07_30, cve CVE_2008_7257, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; classtype:web-application-attack; sid:2009955; rev:15; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".pl~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; classtype:web-application-attack; sid:2009949; rev:15; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".inc~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; classtype:web-application-attack; sid:2009950; rev:15; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".conf~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; classtype:web-application-attack; sid:2009951; rev:15; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .asp source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; classtype:web-application-attack; sid:2009952; rev:15; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .aspx source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".aspx~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; classtype:web-application-attack; sid:2009953; rev:15; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .cgi source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".cgi~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; classtype:web-application-attack; sid:2010820; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; threshold: type limit, track by_dst, count 3, seconds 60; http.method; content:"HEAD"; http.user_agent; content:"Mozilla/5.0 Jorgee"; depth:18; endswith; fast_pattern; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:6; metadata:created_at 2015_06_26, signature_severity Major, updated_at 2020_09_15;)

alert http any any -> any 10000 (msg:"ET WEB_SERVER Webmin RCE CVE-2019-15107"; flow:to_server,established; content:"/password_change.cgi"; depth:20; fast_pattern; endswith; http.method; content:"POST"; http.request_body; content:"|7c|"; reference:url,blog.firosolutions.com/exploits/webmin/; reference:cve,2019-15107; classtype:attempted-admin; sid:2027896; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_08_18, cve CVE_2019_15107, deployment Perimeter, deployment Internal, deployment Datacenter, signature_severity Critical, updated_at 2020_09_17;)

alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious e5b57288.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"e5b57288.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023229; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_09_17;)

alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 33db9538.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"33db9538.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023227; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_09_17;)

alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 9507c4e8.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"9507c4e8.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023228; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_09_17;)

alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 54dfa1cb.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"54dfa1cb.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023230; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_09_17;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; http.uri; content:"~1"; fast_pattern; pcre:"/([\*\?]~1|~1\.?[\*\?]|\/~1\/)/"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:5; metadata:created_at 2012_07_04, updated_at 2020_09_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; http.uri; content:"/net/?u="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.0)"; startswith; http.host; content:"net"; startswith; content:"net.net"; distance:2; within:7; endswith; pcre:"/^net[0-4]{2}net\.net$/i"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; http.uri; content:".php?x=img&img="; fast_pattern; classtype:web-application-activity; sid:2015926; rev:4; metadata:created_at 2012_11_24, updated_at 2020_09_17;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP tag in UA"; flow:established,to_server; http.user_agent; content:"<?php"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016415; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER base64_decode in UA"; flow:established,to_server; http.user_agent; content:"base64_decode("; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016416; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/usr/bin/perl"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/bin/sh"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<?php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:8; metadata:created_at 2010_09_28, updated_at 2020_09_18;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"error in your SQL syntax"; fast_pattern; classtype:bad-unknown; sid:2016672; rev:4; metadata:created_at 2013_03_27, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution"; flow:established,to_server; http.uri; content:"xwork"; nocase; content:"MethodAccessor"; nocase; content:"denyMethodExecution"; nocase; fast_pattern; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-admin; sid:2016920; rev:4; metadata:created_at 2013_05_24, updated_at 2020_09_18;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific"; flow:established,to_server; pcre:"/^[\r\n\s]*?[^\r\n]+HTTP\/1\.\d[^\r\n]*?\r?\n((?!(\r?\n\r?\n)).)*?Transfer-Encoding\x3a[^\r\n]*?Chunked((?!(\r?\n\r?\n)).)*?\r?\n\r?\n[\r\n\s]*?(f{6}[8-9a-f][0-9a-f]|[a-f0-9]{9})/si"; http.header; content:"chunked"; nocase; fast_pattern; pcre:"/Transfer-Encoding\x3a[^\r\n]*?chunked/i"; reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb; classtype:attempted-admin; sid:2016918; rev:8; metadata:created_at 2013_05_23, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; http.uri; content:"allow_url_include"; fast_pattern; pcre:"/\ballow_url_include\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:5; metadata:created_at 2013_06_06, signature_severity Major, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER safe_mode PHP config option in uri"; flow:established,to_server; http.uri; content:"safe_mode"; fast_pattern; pcre:"/\bsafe_mode\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016978; rev:5; metadata:created_at 2013_06_06, signature_severity Major, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER open_basedir PHP config option in uri"; flow:established,to_server; http.uri; content:"open_basedir"; fast_pattern; pcre:"/\bopen_basedir\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016981; rev:6; metadata:created_at 2013_06_06, signature_severity Major, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER auto_prepend_file PHP config option in uri"; flow:established,to_server; http.uri; content:"auto_prepend_file"; fast_pattern; pcre:"/\bauto_prepend_file\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016982; rev:5; metadata:created_at 2013_06_06, signature_severity Major, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; http.uri; content:"suhosin.simulation"; fast_pattern; pcre:"/\bsuhosin\.simulation\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016979; rev:6; metadata:created_at 2013_06_06, signature_severity Major, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER disable_functions PHP config option in uri"; flow:established,to_server; http.uri; content:"disable_functions"; fast_pattern; pcre:"/\bdisable_functions[\s\+]*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016980; rev:7; metadata:created_at 2013_06_06, signature_severity Major, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; http.request_body; content:"xp_cmdshell"; nocase; fast_pattern; classtype:bad-unknown; sid:2017010; rev:5; metadata:created_at 2013_06_13, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - action="; flow:established,to_server; http.uri; content:".asp?action="; nocase; fast_pattern; pcre:"/\.asp\?action=(?:txt(?:edit|view)|upload|info|del)(?:&|$)/i"; classtype:trojan-activity; sid:2017091; rev:4; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CRLF Injection - Newline Characters in URL"; flow:established,to_server; http.uri; content:"|0D 0A|"; fast_pattern; pcre:"/[\n\r](?:content-(?:type|length)|set-cookie|location)\x3a/i"; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:5; metadata:created_at 2013_07_13, updated_at 2020_09_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, cve CVE_2013_2135, updated_at 2020_09_19;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Upload File Filter Bypass"; flow:established,to_server; http.uri; content:"option=com_media"; nocase; fast_pattern; http.request_body; content:"Filedata[]"; nocase; pcre:"/filename[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[^\r\n\x22\x27\x3b]+?\.[\r\n\x3b\x22\x27]/i"; classtype:attempted-user; sid:2017327; rev:4; metadata:created_at 2013_08_14, updated_at 2020_09_19;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SERVER["; fast_pattern; pcre:"/[&\?]_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017436; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_GET["; fast_pattern; pcre:"/[&\?]_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_POST["; fast_pattern; pcre:"/[&\?]_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017438; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017439; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017440; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017441; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017442; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SERVER["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017443; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_GET["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017444; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_POST["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017445; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017446; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017447; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017448; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017449; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL pwn.jsp shell"; flow:established,to_server; http.uri; content:"/pwn.jsp?"; nocase; fast_pattern; content:"cmd="; nocase; reference:url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:attempted-admin; sid:2017734; rev:6; metadata:created_at 2013_11_20, updated_at 2020_09_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS ISN BackDoor Command GetLog"; flow:established,to_server; http.uri; content:"isn_getlog"; nocase; fast_pattern; pcre:"/[?&]isn_getlog/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017820; rev:7; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2020_09_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; http.request_body; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; classtype:trojan-activity; sid:2018056; rev:4; metadata:created_at 2014_02_03, signature_severity Major, updated_at 2020_09_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; content:"Content-Type|3a|"; nocase; pcre:"/^[^\r\n]*?boundary\s*?=\s*?[^\r\n]/Ri"; isdataat:4091,relative; content:!"|0A|"; within:4091; http.header; content:"multipart/form-data"; fast_pattern; reference:url,blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html; reference:cve,2014-0050; classtype:web-application-attack; sid:2018113; rev:4; metadata:created_at 2014_02_12, cve CVE_2014_0050, updated_at 2020_09_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER log4jAdmin access from non-local network (can modify logging levels)"; flow:established,to_server; http.uri; content:"/log4jAdmin.jsp"; fast_pattern; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018202; rev:4; metadata:created_at 2014_03_04, updated_at 2020_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp"; flow:established,to_server; http.uri; content:".asp?mevla=1"; nocase; fast_pattern; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018370; rev:6; metadata:created_at 2014_04_07, updated_at 2020_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override URI"; flow:to_server,established; http.uri; content:"c99shcook["; nocase; fast_pattern; pcre:"/[&?]c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018601; rev:4; metadata:created_at 2014_06_24, signature_severity Major, updated_at 2020_09_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Client Body"; flow:to_server,established; http.request_body; content:"c99shcook["; nocase; fast_pattern; pcre:"/(?:^|&)c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018603; rev:4; metadata:created_at 2014_06_24, signature_severity Major, updated_at 2020_09_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP POST Generic eval of base64_decode"; flow:established,to_server; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; http.request_body; content:"base64_decode"; nocase; fast_pattern; classtype:trojan-activity; sid:2019182; rev:4; metadata:created_at 2014_09_16, signature_severity Major, updated_at 2020_09_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHPMyAdmin BackDoor Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/server_sync.php?"; fast_pattern; content:"c="; pcre:"/\/server_sync.php\?(?:.+?&)?c=/i"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:8; metadata:created_at 2012_09_26, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2"; flow:established,to_server; http.request_body; content:"|25|28|25|29|25|20|25|7b|25|20"; fast_pattern; pcre:"/(:?(:?\x5e|%5e)|(:?[=?&]|\x25(:?3d|3f|26)))\s*?(:?%28|\x28)(:?%29|\x29)(:?%20|\x20)(:?%7b|\x7b)(:?%20|\x20)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019234; rev:6; metadata:created_at 2014_09_25, cve CVE_2014_6271, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CURL Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"curl|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bcurl\s[^\r\n]*?-(?:[Oo]|-(?:remote-name|output))[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019308; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"wget|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bwget\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019309; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER lwp-download Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"lwp-download|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019310; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; http.uri; content:"|28 29 20 7b|"; fast_pattern; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019231; rev:6; metadata:created_at 2014_09_25, cve CVE_2014_6271, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 3"; flow:established,to_server; http.request_body; content:"()|25|20|25|7b"; fast_pattern; pcre:"/(:?(?:\x5e|%5e)|([=?&]|\x25(?:3d|3f|26)))\s*?\(\)(?:%20|\x20)(?:%7b|\x7b)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019241; rev:5; metadata:created_at 2014_09_25, cve CVE_2014_6271, updated_at 2020_09_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; http.uri; content:"[$ne]"; fast_pattern; reference:url,blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html; reference:url,docs.mongodb.org/manual/reference/operator/query/ne/; classtype:web-application-attack; sid:2019460; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030911; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Delete Log"; flow:established,to_server; http.uri; content:"isn_logdel"; nocase; fast_pattern; pcre:"/[?&]isn_logdel/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017821; rev:8; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2020_10_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Get Logpath"; flow:established,to_server; http.uri; content:"isn_logpath"; nocase; fast_pattern; pcre:"/[?&]isn_logpath/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017822; rev:8; metadata:created_at 2013_12_10, signature_severity Major, updated_at 2020_10_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_02;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_02;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030946; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_02;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030948; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_02;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_02;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030952; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_02;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL Linux/Torte Uploaded"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"JGVudiA9ICJYRFZTTl9TRVNTSU9OX0NPT0tJR"; fast_pattern; content:"eval(base64_decode($_REQUEST["; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:attempted-admin; sid:2022359; rev:4; metadata:created_at 2016_01_13, signature_severity Major, updated_at 2020_10_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL JSP/Backdoor Shell Access"; flow:established,to_server; http.uri; content:".war?cmd="; fast_pattern; content:"&winurl="; content:"&linurl="; pcre:"/\.war\?cmd=[a-zA-Z0-9+/=]+&winurl=[a-zA-Z0-9+/=]*&linurl=[a-zA-Z0-9+/=]*/"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:successful-admin; sid:2022348; rev:5; metadata:created_at 2016_01_12, signature_severity Major, updated_at 2020_10_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3718 SSRF Inbound (mvg + fill + url)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"fill"; content:"url("; distance:0; nocase; pcre:"/^\s*https?\x3a\/\//Ri"; classtype:web-application-attack; sid:2022791; rev:5; metadata:created_at 2016_05_04, cve CVE_2016_3718, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3715 File Deletion Inbound (ephermeral:+ mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"ephemeral"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022792; rev:5; metadata:created_at 2016_05_04, cve CVE_2016_3715, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3716 Move File Inbound (msl: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"msl"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022793; rev:5; metadata:created_at 2016_05_04, cve CVE_2016_3716, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3717 Local File Read Inbound (label: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"label"; nocase; pcre:"/^\s*\x3a\s*\x40/Ri"; classtype:web-application-attack; sid:2022794; rev:5; metadata:created_at 2016_05_04, cve CVE_2016_3717, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; pcre:"/https\x3a.+(?<!\x5c)(:[\x22\x27]|\\x2[27])\s*?[\x3b&\x7c><].*?(:[\x22\x27]|\\x2[27])/si"; classtype:web-application-attack; sid:2022789; rev:6; metadata:created_at 2016_05_04, cve CVE_2016_3714, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (svg)"; flow:established,to_server; http.request_body; content:"<svg|20|"; nocase; fast_pattern; content:"xlink"; nocase; pcre:"/xlink\s*?\x3a\s*?href\s*?=\s*?(:[\x22\x27]|\\x2[27])https.+?&quot\s*?\x3b(?:\x7c|&(?:[gl]t|amp)\s*?\x3b)/si"; classtype:web-application-attack; sid:2022790; rev:6; metadata:created_at 2016_05_04, cve CVE_2016_3714, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool"; flow:to_server,established; threshold: type both, track by_src, count 15, seconds 30; http.referer; content:"/slowhttptest/"; fast_pattern; reference:url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read; classtype:web-application-activity; sid:2014103; rev:6; metadata:created_at 2012_01_10, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M1"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022848; rev:4; metadata:created_at 2016_06_01, cve CVE_2016_5118, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M2"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 22 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022849; rev:4; metadata:created_at 2016_06_01, cve CVE_2016_5118, signature_severity Major, updated_at 2020_10_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Continuum Arbitrary Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/saveInstallation.action"; fast_pattern; http.request_body; content:"&installation.varValue="; content:"|25|60"; classtype:attempted-user; sid:2022912; rev:4; metadata:created_at 2016_06_22, signature_severity Major, updated_at 2020_10_06;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"9507c4e8.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023232; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.e5b57288.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"e5b57288.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023233; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; http.header; content:"Range|3a|"; nocase; content:"18446744073709551615"; fast_pattern; distance:0; pcre:"/^Range\x3a[^\r\n]*?18446744073709551615/mi"; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:5; metadata:created_at 2015_04_15, cve CVE_2015_1635, signature_severity Major, updated_at 2020_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; http.uri; content:"/level/15/exec/-/"; fast_pattern; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/i"; classtype:web-application-attack; sid:2010623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Binget PHP Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013049; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER pxyscand Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013051; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PyCurl Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013053; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Inbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013057; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Outbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013058; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031014; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_14;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031016; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; http.user_agent; content:"czxt2s"; nocase; depth:6; endswith; classtype:web-application-attack; sid:2011174; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; http.uri; content:"backupdata"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012286; rev:7; metadata:created_at 2011_02_04, updated_at 2020_10_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; http.uri; content:"backup_data"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012287; rev:6; metadata:created_at 2011_02_04, updated_at 2020_10_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; http.user_agent; content:"Jcomers Bot"; nocase; depth:11; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; sid:2011285; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_15;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031026; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_19;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, confidence Medium, signature_severity Major, tag Phishing, updated_at 2020_10_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Attack Tool Revolt Scanner"; flow:established,to_server; http.user_agent; content:"revolt"; depth:6; reference:url,www.Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2009288; rev:59; metadata:created_at 2010_07_30, updated_at 2020_10_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; http.user_agent; content:"DataCha0s"; nocase; depth:9; reference:url,www.internetofficer.com/web-robot/datacha0s.html; classtype:web-application-activity; sid:2003616; rev:41; metadata:created_at 2010_07_30, updated_at 2020_10_19;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)"; flow:established,to_server; http.uri; content:"|25|OA"; nocase; content:"=/bin/sh+-c+'"; nocase; distance:0; fast_pattern; reference:url,github.com/neex/phuip-fpizdam; reference:url,github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043; reference:cve,2019-11043; classtype:web-application-attack; sid:2028895; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2019_10_23, cve CVE_2019_11043, deployment Perimeter, signature_severity Major, updated_at 2020_10_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd%20/tmp|3b|wget%20"; depth:24; fast_pattern; http.header.raw; content:"Mozilla/5.0%20(Windows|3b|%20U|3b|%20Windows%20NT"; reference:md5,a26f67a1d0a50af72c5fd9c94e9f5a1c; classtype:web-application-attack; sid:2029008; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_11_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic File Upload Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_22;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_22;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; http.request_body; content:"dbhost="; content:"dbuser="; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:4; metadata:created_at 2013_07_02, signature_severity Major, updated_at 2020_10_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/statuswml.cgi?"; nocase; content:"ping"; nocase; pcre:"/^\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ri"; reference:bugtraq,35464; classtype:web-application-attack; sid:2009670; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_28, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; http.method; content:"POST"; http.uri; content:"/jmx-console/HtmlAdaptor"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; classtype:web-application-attack; sid:2010379; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; content:"DeploymentScanner"; nocase; content:"methodName=addURL"; nocase; content:"=http"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; classtype:web-application-attack; sid:2010380; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; threshold:type threshold,track by_src,count 10,seconds 60; http.stat_code; content:"401"; http.stat_msg; content:"Unauthorized"; nocase; file.data; content:"<script"; nocase; depth:280; fast_pattern; classtype:web-application-attack; sid:2010513; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/HNAP1/"; nocase; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; nocase; content:"/HNAP1/"; distance:0; pcre:"/^(?:set|get)/Ri"; content:"DeviceSettings"; within:14; reference:url,www.securityfocus.com/bid/37690; classtype:web-application-attack; sid:2010698; rev:6; metadata:created_at 2010_07_30, updated_at 2020_11_02;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OvCgi/Toolbar.exe"; nocase; fast_pattern; http.header; content:"Accept-Language|3a 20|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; content:"Content-Length|3a|"; distance:0; reference:cve,2009-0921; classtype:web-application-attack; sid:2010864; rev:10; metadata:created_at 2010_07_30, cve CVE_2009_0921, confidence High, updated_at 2020_11_02;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Darkleech C2"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; fast_pattern; content:"&utm_source="; distance:0; pcre:"/^\/blog\/\?[a-z]{3,20}+\&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:command-and-control; sid:2022260; rev:4; metadata:created_at 2015_12_14, signature_severity Major, updated_at 2020_11_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST (fsockopen)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http.method; content:"POST"; http.connection; content:"close"; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019749; rev:4; metadata:created_at 2014_11_20, signature_severity Major, updated_at 2020_11_03;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031174; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_11_04;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; fast_pattern; content:">MAILER INBOX SENDING"; distance:0; classtype:web-application-attack; sid:2031177; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_11_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WeBaCoo Web Backdoor Detected"; flow:to_server,established; http.method; content:"GET"; http.cookie; content:"cm="; content:"cn=M-cookie|3b|"; fast_pattern; content:"cp="; reference:url,panagioto.com/webacoo-backdoor-detection; classtype:web-application-activity; sid:2022295; rev:5; metadata:created_at 2015_12_22, signature_severity Major, updated_at 2020_11_05;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019748; rev:4; metadata:created_at 2014_11_20, signature_severity Major, updated_at 2020_11_05;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/api/xmlrpc"; http.request_body; content:"file|3a 2f 2f 2f|"; fast_pattern; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:4; metadata:created_at 2012_08_15, updated_at 2020_11_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; content:"SET"; nocase; distance:0; http.uri; content:"SHOW"; nocase; content:"CHARACTER"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; classtype:web-application-attack; sid:2010964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gsb/datetime.php"; nocase; http.request_body; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; classtype:web-application-attack; sid:2010863; rev:9; metadata:created_at 2010_07_30, cve CVE_2010_0369, updated_at 2020_11_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/OvCgi/ovalarm.exe"; nocase; fast_pattern; content:"OVABverbose="; nocase; distance:0; pcre:"/^(1|on|true)/Ri"; http.accept_lang; isdataat:100,relative; reference:cve,2009-4179; classtype:web-application-attack; sid:2010704; rev:10; metadata:created_at 2010_07_30, cve CVE_2009_4179, confidence Low, updated_at 2020_11_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; http.uri; content:"+CSCOE+/files/browse.html"; nocase; fast_pattern; content:"code=init"; nocase; distance:0; content:"path=ftp"; nocase; distance:0; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; classtype:attempted-user; sid:2010457; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, cve CVE_2009_1203, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_07;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031199; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_11_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031201; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_11_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031202; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_11_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<%@|20|Page|20|Language=|22|Jscript|22|%><eval|28|Request.Item|5b|"; fast_pattern; content:"|22 29 3b|%>"; within:50; classtype:trojan-activity; sid:2027341; rev:4; metadata:created_at 2019_05_09, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER BlackSquid JSP Webshell Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<|25 25|java.io.InputStream|20|"; depth:25; content:"Runtime.getRunetime|28 29|.exec|28|request"; within:50; content:".getInputStream|28 29 3b|int|20|"; distance:0; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/; classtype:attempted-admin; sid:2027433; rev:3; metadata:attack_target Web_Server, created_at 2019_06_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:7; metadata:created_at 2011_11_22, updated_at 2020_11_19;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; http.request_body; content:"|28 29 20 7b|"; fast_pattern; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:7; metadata:created_at 2014_09_25, cve CVE_2014_6271, updated_at 2020_11_19, reviewed_at 2024_03_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031243; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_12_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031271; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_12_08;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031415; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_12_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031429; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_12_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031437; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_12_21;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_01_04;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031513; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_01_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>|7c 7c 20|B3taCypt Priv8 Mailer|20 7c 7c|</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031606; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_08, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_02_08;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER DEWMODE Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:".php?csrftoken="; content:"|22|><font|20|size=4>Cleanup|20|Shell</font>"; fast_pattern; content:"file_id"; content:"path"; content:"file_name"; content:"uploaded_by"; content:"Recipient"; content:"Actions"; reference:url,www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html; reference:md5,2798c0e836b907e8224520e7e6e4bb42; reference:md5,bdfd11b1b092b7c61ce5f02ffc5ad55a; classtype:attempted-admin; sid:2031650; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form action=|22 22 20|"; content:"<input|20|type=|22|text|22 20|name=|22|_jy|22|><input|20|type=|22|submit|22 20|value=|22|>>"; fast_pattern; classtype:attempted-admin; sid:2031651; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2021_02_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Inbox To All"; nocase; fast_pattern; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; distance:0; classtype:web-application-attack; sid:2031679; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_03_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Uploader Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Uploader by ghost-dz</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031681; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_03_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)"; flow:established,from_server; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017609; rev:4; metadata:created_at 2013_10_17, updated_at 2021_03_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (External)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031879; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2021_03_09;)

alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (Internal)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031880; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2021_03_09;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Spammer's Mail (Private)"; nocase; fast_pattern; classtype:web-application-attack; sid:2032005; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_15, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_03_15;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"V5 PHPMailer</title>"; fast_pattern; content:"for=|22|senderName|22|>Sender Name</label>"; content:"type=|22|file|22 20|name=|22|attachment[]|22 20|id=|22|attachment[]|22|"; classtype:web-application-attack; sid:2032079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_16, deployment Perimeter, signature_severity Major, updated_at 2021_03_16;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; nocase; fast_pattern; content:"$(|22|#patb|22|).click(function(){"; distance:0; classtype:web-application-attack; sid:2032087; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_03_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer Venom"; nocase; fast_pattern; content:"name=|22|fmail|22 20|type=|22|text|22 20|id=|22|fakemail|22|"; distance:0; classtype:web-application-attack; sid:2032089; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_03_17;)

alert http any any -> any any (msg:"ET WEB_SERVER Babydraco WebShell Activity"; flow:established,to_server; http.uri; content:"/owa/auth/babydraco.aspx"; bsize:24; fast_pattern; reference:url,krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/; classtype:attempted-admin; sid:2032344; rev:1; metadata:created_at 2021_03_29, signature_severity Major, updated_at 2021_03_29, reviewed_at 2023_12_01;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<center><h1>IDBTE4M CODE 87</h1><br>[uname] Linux"; nocase; fast_pattern; classtype:web-application-attack; sid:2032520; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_04_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"FoxWSO v1</title>"; fast_pattern; nocase; content:"function encrypt("; distance:0; classtype:web-application-attack; sid:2032522; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_04_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<b><br><br>Linux|20|"; content:"method=|22|post|22 20|enctype=|22|multipart/form-data|22 20|name=|22|uploader|22 20|id=|22|uploader|22|><input type=|22|file|22 20|name=|22|file|22 20|size="; content:"<input name=|22|_upl|22 20|type=|22|submit|22 20|id=|22|_upl|22 20|value=|22|Upload|22|></form>"; fast_pattern; classtype:web-application-attack; sid:2032635; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_09, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_04_09;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>0byt3m1n1-"; fast_pattern; classtype:web-application-attack; sid:2032739; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_04_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; fast_pattern; classtype:web-application-attack; sid:2032741; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_04_12;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>x3x3x3x_5h3ll"; fast_pattern; classtype:web-application-attack; sid:2032775; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_04_16;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M1"; flow:established,to_server; http.cookie; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L146-L151; classtype:attempted-admin; sid:2032928; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2021_05_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"mgdminhtml="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032929; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2021_05_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M3"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"name=|22|mgdminhtml|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032930; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2021_05_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032931; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2021_05_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|lolzilla|22|"; fast_pattern; content:"name=|22|g|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032932; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2021_05_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/licenseserverproto.cgi"; content:"serverid="; content:"csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa"; distance:0; within:35; fast_pattern; classtype:attempted-admin; sid:2033790; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, signature_severity Major, updated_at 2021_08_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [exec] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=exec"; fast_pattern; content:"&newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034006; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [upload] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=upload"; fast_pattern; content:"&path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034009; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"Cylul007 Webshell V 2.0</title>"; fast_pattern; classtype:web-application-attack; sid:2034246; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_10_25;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"MARIJUANA</title>"; fast_pattern; content:"|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"; distance:0; classtype:web-application-attack; sid:2034248; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_10_25;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspicious PHP UNZIP Tool Accessed on Internal Possibly Compromised Server"; flow:established,to_client; file.data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034337; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, signature_severity Major, updated_at 2021_11_03;)

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; http.header; content:"|28 29 20 7b|"; fast_pattern; content:"bash|20 2d|c"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:7; metadata:created_at 2014_09_25, cve CVE_2014_6271, updated_at 2021_11_03, reviewed_at 2024_03_06;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034440; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"VARIABLES"; nocase; distance:0; content:!"twitter.com"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; classtype:web-application-attack; sid:2010965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; http.uri; content:"utl_inaddr.get_host"; nocase; fast_pattern; classtype:attempted-admin; sid:2015749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M1"; flow:to_server,established; http.uri; content:"?dest="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036428; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M2"; flow:to_server,established; http.uri; content:"?redirect="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036429; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M3"; flow:to_server,established; http.uri; content:"?uri="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036430; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M4"; flow:to_server,established; http.uri; content:"?path="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036431; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M5"; flow:to_server,established; http.uri; content:"?continue="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036432; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M6"; flow:to_server,established; http.uri; content:"?url="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036433; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M7"; flow:to_server,established; http.uri; content:"?window="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036434; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M8"; flow:to_server,established; http.uri; content:"?next="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036435; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M9"; flow:to_server,established; http.uri; content:"?data="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036436; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M10"; flow:to_server,established; http.uri; content:"?reference="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036437; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M11"; flow:to_server,established; http.uri; content:"?site="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036438; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M12"; flow:to_server,established; http.uri; content:"?html="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036439; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M13"; flow:to_server,established; http.uri; content:"?val="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036440; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M14"; flow:to_server,established; http.uri; content:"?validate="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036441; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M15"; flow:to_server,established; http.uri; content:"?domain="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036442; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M16"; flow:to_server,established; http.uri; content:"?callback="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036443; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M17"; flow:to_server,established; http.uri; content:"?return="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036444; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M18"; flow:to_server,established; http.uri; content:"?page="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036445; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M19"; flow:to_server,established; http.uri; content:"?feed="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036446; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M20"; flow:to_server,established; http.uri; content:"?host="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036447; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M21"; flow:to_server,established; http.uri; content:"?port="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036448; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M22"; flow:to_server,established; http.uri; content:"?to="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036449; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M23"; flow:to_server,established; http.uri; content:"?out="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036450; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M24"; flow:to_server,established; http.uri; content:"?view="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036451; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M25"; flow:to_server,established; http.uri; content:"?dir="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036452; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2022_05_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell arp Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=arp|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037004; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell del Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=del|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037005; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell systeminfo Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=systeminfo"; fast_pattern; endswith; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037006; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell tasklist Command (Inbound)"; flow:established,to_server; http.uri; content:".jsp?cmd=tasklist"; fast_pattern; endswith; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037007; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell wmic Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=wmic|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037008; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell ipconfig Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=ipconfig|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037009; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell query Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=query|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037010; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell registry Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=reg|2b|query"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037011; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell net Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=net|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037012; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell netstat Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=netstat|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037013; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell directory listing Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?p=C|3a 2f|"; fast_pattern; nocase; content:"&action=get"; distance:0; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037014; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell Activity (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?file=C|3a 2f|"; fast_pattern; nocase; content:"&data="; distance:0; content:"&p=C|3a 2f|"; distance:0; content:"&action="; distance:0; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037015; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell Activity (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?action="; fast_pattern; content:"&p=C|3a 2f|"; distance:0; content:"&filename="; distance:0; nocase; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037016; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager Backdoor ReadFile Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSIONID=ReadFile-"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037218; rev:1; metadata:attack_target Server, created_at 2022_06_30, deployment Perimeter, deployment Internal, malware_family SessionManager, signature_severity Major, tag Exploit, updated_at 2022_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:5; metadata:created_at 2013_01_12, updated_at 2022_07_01;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack (CVE-2013-6397)"; flow:to_server,established; content:"../../"; fast_pattern; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:4; metadata:created_at 2013_12_18, updated_at 2022_07_11;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi (CVE-2012-1557)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/enterprise/control/agent.php"; http.header; content:"HTTP_AUTH_LOGIN|3a|"; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:5; metadata:created_at 2013_04_27, updated_at 2022_07_12;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.uri; content:".action?"; content:"redirect|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:6; metadata:created_at 2013_07_17, updated_at 2022_07_12;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.uri; content:".action?"; content:"redirectAction|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:6; metadata:created_at 2013_07_17, updated_at 2022_07_12;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.uri; content:".action?"; content:"action|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]action\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:6; metadata:created_at 2013_07_17, updated_at 2022_07_12;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/login.cgi"; nocase; http.request_body; content:"name="; nocase; content:"pwd="; nocase; pcre:"/(?:^|[\n\&])pwd=/i"; pcre:"/(?:^|[\n\&])name=(?:%\d{2}|[^%&]){129}/i"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017684; rev:4; metadata:created_at 2013_11_07, confidence Low, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/login.cgi"; nocase; http.request_body; content:"name="; nocase; content:"pwd="; nocase; pcre:"/(?:^|[\n\&])name=/i"; pcre:"/(?:^|[\n\&])pwd=(?:%\d{2}|[^%&]){25}/i"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017685; rev:4; metadata:created_at 2013_11_07, confidence Low, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/close_window.cgi"; nocase; http.request_body; content:"sess_sid="; nocase; pcre:"/(?:^|[\n\&])sess_sid=(?:%\d{2}|[^%&]){21}/"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017686; rev:4; metadata:created_at 2013_11_07, confidence Low, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/close_window.cgi"; nocase; http.request_body; content:"ACT="; nocase; pcre:"/(?:^|[\n\&])ACT=(?:%\d{2}|[^%&]){21}/i"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017687; rev:4; metadata:created_at 2013_11_07, confidence Low, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Ruby on Rails RCE Attempt Inbound (CVE-2013-0333)"; flow:established,to_server; http.request_body; content:"!ruby/"; nocase; content:"NamedRouteCollection"; nocase; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:9; metadata:created_at 2013_01_30, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.request_body; content:"redirect|3a|"; content:"{"; distance:0; pcre:"/\bredirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:7; metadata:created_at 2013_07_24, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.request_body; content:"redirectAction|3a|"; content:"{"; pcre:"/\bredirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017175; rev:7; metadata:created_at 2013_07_24, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.request_body; content:"action|3a|"; content:"{"; distance:0; pcre:"/\baction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017176; rev:7; metadata:created_at 2013_07_24, updated_at 2022_07_13;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; http.method; content:"POST"; http.uri; content:"/adminapi/administrator.cfc?"; nocase; content:"method"; nocase; content:"login"; nocase; http.request_body; content:"rdsPasswordAllowed"; nocase; fast_pattern; pcre:"/rdsPasswordAllowed[\r\n\s]*?=[\r\n\s]*?(?:true|1)/i"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:5; metadata:created_at 2013_08_22, updated_at 2022_07_13;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Suspected China Chopper Variant Webshell Command (inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"kfaero="; startswith; fast_pattern; content:"&Z1="; distance:0; within:5; content:"&Z2="; distance:0; reference:url,www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/; classtype:attempted-admin; sid:2038490; rev:1; metadata:attack_target Web_Server, created_at 2022_08_11, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_08_11, reviewed_at 2024_05_07;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:3; metadata:created_at 2014_02_07, confidence High, updated_at 2022_08_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Antsword Related Webshell Activity (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ews/web/webconfig/"; http.header_names; content:!"Referer"; http.request_body; content:"|0d 0a|RPDbgEsJF9o8S=|0d 0a|"; fast_pattern; reference:url,www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; classtype:web-application-attack; sid:2039066; rev:1; metadata:attack_target Web_Server, created_at 2022_09_29, deployment Perimeter, signature_severity Major, updated_at 2022_09_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspected Generic Webshell Activity (Outbound)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|20|id=|22|L_p|22|"; content:"Program</span>"; distance:0; content:"|22|xpath|22 20|type=|22|text|22 20|value=|22|c|3a 5c|windows|5c|system32|5c|cmd.exe|22|"; fast_pattern; content:"|22|xcmd|22 20|type=|22|text|22 20|value=|22|/c net user|22 20|id=|22|xcmd|22|"; distance:0; reference:md5,e3af60f483774014c43a7617c44d05e7; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage; classtype:web-application-attack; sid:2039079; rev:1; metadata:attack_target Web_Server, created_at 2022_10_03, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_10_03;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - SSH Key Upload (CVE-2022-40684)"; flow:established,to_client; flowbits:isset,ET.CVE-2022-40684; http.response_body; content:"SSH key is good"; nocase; fast_pattern; reference:url,www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/; reference:url,github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py; reference:cve,2022-40684; classtype:successful-admin; sid:2039419; rev:1; metadata:affected_product Web_Server_Applications, affected_product Fortigate, attack_target Server, created_at 2022_10_17, cve CVE_2022_40684, deployment Perimeter, deployment SSLDecrypt, signature_severity Critical, updated_at 2022_10_20; target:src_ip;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - Administrative Details Leaked (CVE-2022-40684)"; flow:established,to_client; flowbits:isset,ET.CVE-2022-40684; http.response_body; content:"results"; nocase; content:"accprofile"; nocase; fast_pattern; reference:url,www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/; reference:url,github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py; reference:cve,2022-40684; classtype:successful-admin; sid:2039420; rev:1; metadata:affected_product Web_Server_Applications, affected_product Fortigate, attack_target Server, created_at 2022_10_17, cve CVE_2022_40684, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Critical, updated_at 2022_10_20; target:src_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER [Cluster25] FortiOS Auth Bypass Attempt (CVE-2022-40684)"; flow:established,to_server; flowbits:set,ET.CVE-2022-40684; http.uri; content:"/api/v2/"; startswith; nocase; content:"/system/"; nocase; distance:0; http.header; content:"Forwarded|3a 20|"; nocase; content:"for|3d 22 5b|127|2e|0|2e|0|2e|1|5d 3a|"; nocase; distance:0; fast_pattern; pcre:"/^Forwarded\x3a\x20[^\r\n]*for=\x22\x5b127\.0\.0\.1\x5d\x3a/mi"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/; reference:url,horizon3.ai/fortinet-iocs-cve-2022-40684/; reference:cve,2022-40684; classtype:attempted-admin; sid:2039173; rev:3; metadata:affected_product Web_Server_Applications, affected_product Fortigate, attack_target Web_Server, created_at 2022_10_12, cve CVE_2022_40684, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_10_20, reviewed_at 2024_12_02;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - Config Leaked (CVE-2022-40684)"; flow:established,to_client; flowbits:isset,ET.CVE-2022-40684; http.response_body; content:"#config-version="; startswith; content:"user=Local_Process_Access|0a|#conf_file_ver="; within:500; fast_pattern; content:"|0a|#buildno="; within:500; reference:url,www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/; reference:url,github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py; reference:cve,2022-40684; classtype:successful-admin; sid:2039485; rev:1; metadata:affected_product Web_Server_Applications, affected_product Fortigate, attack_target Web_Server, created_at 2022_10_20, cve CVE_2022_40684, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_10_20; target:src_ip;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.host; content:"33db9538.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023231; rev:5; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2022_11_21;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.host; content:"54dfa1cb.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023234; rev:5; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_21;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:4; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:5; metadata:created_at 2014_09_26, confidence Low, updated_at 2022_11_23;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/environ"; flow:established,to_server; http.uri; content:"/proc/self/environ"; nocase; classtype:web-application-attack; sid:2012230; rev:7; metadata:attack_target Web_Server, created_at 2011_01_25, deployment Perimeter, updated_at 2022_12_01;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/fd/"; flow:established,to_server; http.uri; content:"/proc/self/fd/"; nocase; fast_pattern; classtype:web-application-attack; sid:2019110; rev:5; metadata:attack_target Web_Server, created_at 2014_09_04, updated_at 2022_12_01, reviewed_at 2024_03_20;)

alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/<pid>/smaps"; flow:established,to_server; http.uri; content:"proc/"; nocase; content:"/smaps"; nocase; endswith; fast_pattern; pcre:"/proc\/\d+\/smaps$/"; classtype:web-application-attack; sid:2041448; rev:1; metadata:attack_target Web_Server, created_at 2022_12_01, signature_severity Minor, updated_at 2022_12_01;)

alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/<pid>/cmdline"; flow:established,to_server; http.uri; content:"proc/"; nocase; content:"/cmdline"; nocase; endswith; fast_pattern; pcre:"/proc\/\d+\/cmdline$/"; classtype:web-application-attack; sid:2041449; rev:2; metadata:attack_target Web_Server, created_at 2022_12_01, signature_severity Minor, updated_at 2022_12_01;)

#alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/<pid>/maps"; flow:established,to_server; http.uri; content:"proc/"; nocase; content:"/maps"; nocase; endswith; fast_pattern; pcre:"/proc\/\d+\/maps$/"; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; classtype:web-application-attack; sid:2041645; rev:1; metadata:attack_target Web_Server, created_at 2022_12_02, signature_severity Minor, updated_at 2022_12_02;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Activity (Response)"; flow:established,to_client; file.data; content:"<body><title>FILE MANAGER v.1.0</title>"; content:"<h1>Green Dinosaur</h1>"; fast_pattern; content:"|61 63 74 69 6f 6e 3d 27 3f 66 70 61 74 68 3d|"; distance:0; reference:md5,9cdda333432f403b408b9fe717163861; classtype:web-application-attack; sid:2044914; rev:1; metadata:attack_target Web_Server, created_at 2023_04_10, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_04_10; target:src_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Common JSP WebShell String Observed in HTTP Header M1"; flow:to_server,established; http.header; content:"request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035671; rev:2; metadata:created_at 2022_03_31, confidence Medium, signature_severity Major, updated_at 2023_04_19;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Common JSP WebShell String Observed in HTTP Header M2"; flow:to_server,established; http.header; content:"executeCmd|28|request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035672; rev:2; metadata:created_at 2022_03_31, confidence Medium, signature_severity Major, updated_at 2023_04_19;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Common JSP WebShell String Observed in HTTP Header M3"; flow:to_server,established; http.header; content:"getRuntime|28 29|.exec"; fast_pattern; nocase; classtype:attempted-admin; sid:2035673; rev:2; metadata:created_at 2022_03_31, confidence Medium, signature_severity Major, updated_at 2023_04_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor GETFILE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=GETFILE|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037219; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor PUTFILE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=PUTFILE|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037220; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor DELETEFILE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=DELETEFILE|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037221; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor FILESIZE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=FILESIZE|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037222; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor CMD Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=CMD|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037223; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor PING Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=PING|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037224; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5CONNECT Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5CONNECT|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037225; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5WRITE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5WRITE|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037226; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5READ Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5READ|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037227; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5CLOSE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5CLOSE|3b|"; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037228; rev:2; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, malware_family SessionManager, signature_severity Major, updated_at 2023_05_11, reviewed_at 2024_01_08;)

#alert dns $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox)"; dns.query; content:"anonymousfox."; startswith; fast_pattern; pcre:"/(?:is|mx|info|co)$/"; reference:url,twitter.com/unmaskparasites/status/1507038308789936150; classtype:bad-unknown; sid:2035612; rev:3; metadata:attack_target Web_Server, created_at 2022_03_25, deployment Perimeter, signature_severity Major, updated_at 2023_05_18;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER LEMURLOOT WebShell Interaction Header (X-siLock-Comment) - Observed in MOVEit File Transfer - INBOUND"; flow:established,to_server; http.header_names; content:"|0d 0a|X-siLock-Comment|0d 0a|"; nocase; fast_pattern; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:md5,af136505d384c9a89635b365e55b7fa3; classtype:attempted-admin; sid:2046047; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_06_02, deployment Perimeter, deployment SSLDecrypt, malware_family LEMURLOOT, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2023_06_02;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -1 Data Exfil Request - Observed in MOVEit File Transfer - INBOUND"; flow:established,to_server; http.header_names; content:"|0d 0a|X-siLock-Comment|0d 0a|"; nocase; content:"|0d 0a|X-siLock-Step1|0d 0a|"; fast_pattern; nocase; http.header; content:"X-siLock-Step1|3a 20|-1"; nocase; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:md5,af136505d384c9a89635b365e55b7fa3; reference:url,www.mandiant.com/resources/blog/zero-day-moveit-data-theft; classtype:attempted-admin; sid:2046049; rev:1; metadata:attack_target Web_Server, created_at 2023_06_02, deployment Perimeter, deployment SSLDecrypt, malware_family LEMURLOOT, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2023_06_02; target:dest_ip;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -1 Data Exfil Response - Observed in MOVEit File Transfer - OUTBOUND (Active Compromise)"; flow:established,to_client; http.header_names; content:"|0d 0a|X-siLock-Comment|0d 0a|"; content:"|0d 0a|AzureBlobStorageAccount|0d 0a|"; content:"|0d 0a|AzureBlobKey|0d 0a|"; content:"|0d 0a|AzureBlobContainer|0d 0a|"; fast_pattern; nocase; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:md5,af136505d384c9a89635b365e55b7fa3; reference:url,www.mandiant.com/resources/blog/zero-day-moveit-data-theft; classtype:successful-admin; sid:2046050; rev:1; metadata:attack_target Web_Server, created_at 2023_06_02, deployment Perimeter, deployment SSLDecrypt, malware_family LEMURLOOT, performance_impact Low, confidence High, signature_severity Critical, tag WebShell, updated_at 2023_06_02; target:src_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -2 Health Check User Delete Request - Observed in MOVEit File Transfer - INBOUND"; flow:established,to_server; http.header_names; content:"|0d 0a|X-siLock-Comment|0d 0a|"; content:"|0d 0a|X-siLock-Step1|0d 0a|"; fast_pattern; nocase; http.header; content:"X-siLock-Step1|3a 20|-2"; nocase; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:md5,af136505d384c9a89635b365e55b7fa3; reference:url,www.mandiant.com/resources/blog/zero-day-moveit-data-theft; classtype:attempted-admin; sid:2046051; rev:1; metadata:attack_target Web_Server, created_at 2023_06_02, deployment Perimeter, deployment SSLDecrypt, malware_family LEMURLOOT, performance_impact Low, confidence Medium, signature_severity Major, tag WebShell, updated_at 2023_06_02; target:dest_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step2/3 File Retrieval Request- Observed in MOVEit File Transfer - INBOUND"; flow:established,to_server; http.header_names; content:"|0d 0a|X-siLock-Comment|0d 0a|"; content:"|0d 0a|X-siLock-Step2|0d 0a|"; fast_pattern; nocase; content:"|0d 0a|X-siLock-Step3|0d 0a|"; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:md5,af136505d384c9a89635b365e55b7fa3; reference:url,www.mandiant.com/resources/blog/zero-day-moveit-data-theft; classtype:attempted-admin; sid:2046052; rev:1; metadata:attack_target Web_Server, created_at 2023_06_02, deployment Perimeter, deployment SSLDecrypt, malware_family LEMURLOOT, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2023_06_02;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SERVER LEMURLOOT WebShell Interaction Header (X-siLock-Comment) - Observed in MOVEit File Transfer - OUTBOUND (Active Compromise)"; flow:established,to_client; http.header_names; content:"|0d 0a|X-siLock-Comment|0d 0a|"; nocase; fast_pattern; http.header; content:"X-siLock-Comment|3a 20|"; nocase; content:"comment"; within:7; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:md5,af136505d384c9a89635b365e55b7fa3; reference:url,www.mandiant.com/resources/blog/zero-day-moveit-data-theft; classtype:successful-admin; sid:2046048; rev:2; metadata:attack_target Web_Server, created_at 2023_06_02, deployment Perimeter, deployment SSLDecrypt, malware_family LEMURLOOT, performance_impact Low, confidence High, signature_severity Critical, tag WebShell, updated_at 2023_06_05; target:src_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ASPXSPY Webshell Login Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"|5f 5f|EVENTTARGET|3d 26 5f 5f|FILE|3d|"; startswith; content:"HRJ|3d|"; content:"|26|ZSnXu=Login"; fast_pattern; endswith; reference:md5,2ef7bb0d9763cf38977182d65173d1b0; classtype:trojan-activity; sid:2046744; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_07_06, deployment Perimeter, deployment Internal, deployment SSLDecrypt, malware_family ASPXSPY, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2023_07_06; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ASPXSPY - Manic Menagerie Variant Activity M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.cookie; content:"Backdoor="; pcre:"/^[a-f0-9]{32}/R"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5f 5f|EVENTTARGET|22 0d 0a 0d 0a|Bin_"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5f 5f|FILE|22 0d 0a 0d 0a|"; reference:md5,2ef7bb0d9763cf38977182d65173d1b0; reference:url,unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/; classtype:trojan-activity; sid:2046753; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_07_07, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_07_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Webshell Activity"; flow:established,to_client; file.data; content:"/home/aravalcl/public_html/"; fast_pattern; content:"ob_start|28 29|"; content:">Command</a>>"; content:"Software|3a|"; reference:md5,f899d6cbe1be6395a0fa2a802b8eb579; classtype:trojan-activity; sid:2048557; rev:1; metadata:attack_target Web_Server, created_at 2023_10_13, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_10_13, reviewed_at 2023_10_13; target:src_ip;)

alert http $HOME_NET any -> any any (msg:"ET WEB_SERVER Generic Webshell Activity (POST)"; flow:established,to_client; file.data; content:"<html><head><meta http-equiv=|27|Content-Type|27 20|content=|27|text/html"; content:"charset="; distance:0; content:"><title>"; distance:0; content:"|20|-|20|WSO|20|"; within:50; fast_pattern; reference:md5,eda02ae6dd7d0fe841653f5e6a69d17e; classtype:web-application-attack; sid:2048923; rev:1; metadata:attack_target Web_Server, created_at 2023_10_27, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Critical, updated_at 2023_10_27, reviewed_at 2023_10_27; target:src_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity"; flow:established,to_client; http.response_body; content:"200"; fast_pattern; startswith; pcre:"/^\n(?:[0-9A-F]{118})\n$/R"; reference:md5,126bc1c30fba27f8bf67dce4892b1e8c; reference:url,research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/; classtype:trojan-activity; sid:2049011; rev:1; metadata:attack_target Server, created_at 2023_11_01, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2023_11_03, reviewed_at 2023_11_01, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:src_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity"; flow:established,to_client; http.response_body; content:"200"; fast_pattern; startswith; pcre:"/^\n(?:[0-9A-F]{122})\n1.5\n$/R"; reference:md5,2e803d28809be2a0216f25126efde37b; reference:url,research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/; classtype:trojan-activity; sid:2049012; rev:1; metadata:attack_target Server, created_at 2023_11_01, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2023_11_03, reviewed_at 2023_11_01, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:src_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Tunna Variant Webshell Activity"; flow:established,to_client; http.response_body; content:"Tunna v1.1g"; fast_pattern; startswith; reference:md5,c21eefc65cda49f17ddd1d243a7bffb5; reference:url,research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/; classtype:trojan-activity; sid:2049010; rev:2; metadata:attack_target Server, created_at 2023_11_01, deployment Perimeter, confidence High, signature_severity Major, tag WebShell, updated_at 2023_11_03, reviewed_at 2023_11_01, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:src_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /etc/passwd Detected in URI"; flow:established,to_server; http.uri; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:2049400; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2023_11_29, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_11_29;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /etc/hosts Detected in URI"; flow:established,to_server; http.uri; content:"/etc/hosts"; nocase; classtype:attempted-recon; sid:2049401; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2023_11_29, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_11_29;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER .bash_history Detected in URI"; flow:established,to_server; http.uri; content:"|2e|bash_history"; nocase; classtype:attempted-recon; sid:2049402; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2023_11_29, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_11_30; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Simple JSP WebShell Landing Page"; flow:established,to_client; http.response_body; content:"|3c|HTML|3e 3c|BODY|3e|"; content:"Commands with JSP"; within:20; reference:md5,5b739059ebb590df7bc7ed33c8d62531; reference:url,www.cisa.gov/sites/default/files/publications/MAR-10410305.r1.v1.CLEAR_0.pdf; classtype:attempted-user; sid:2049405; rev:1; metadata:attack_target Server, created_at 2023_11_30, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2023_11_30, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:src_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER vonloesch JSP File Browser"; flow:established,to_client; http.response_body; content:"jsp File Browser version"; fast_pattern; content:"www.vonloesch.de"; within:120; reference:md5,1a02e6179cfc8118c1864890ea0e5e77; classtype:attempted-user; sid:2049406; rev:1; metadata:attack_target Server, created_at 2023_11_30, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2023_11_30, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:src_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"cmd="; fast_pattern; nocase; pcre:"/[&?]cmd=[^\x26\x28]*(?:cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp)/i"; reference:cve,2002-0953; classtype:web-application-attack; sid:2010920; rev:10; metadata:created_at 2010_07_30, cve CVE_2002_0953, updated_at 2024_01_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected HrServ Webshell Related Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/"; startswith; fast_pattern; content:"&cp="; distance:0; pcre:"/^[0247]/R"; content:"&client="; within:8; content:"&xssi="; distance:0; content:"&hl="; distance:0; content:"&authuser="; distance:0; content:"&pq="; distance:0; reference:url,securelist.com/hrserv-apt-web-shell/111119/; reference:md5,d0fe27865ab271963e27973e81b77bae; classtype:trojan-activity; sid:2050028; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2024_01_12, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2024_01_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected HrServ Webshell Related Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/"; startswith; fast_pattern; content:"&cp="; distance:0; pcre:"/^[16]/R"; content:"&client="; within:8; content:"&xssi="; distance:0; content:"&hl="; distance:0; content:"&authuser="; distance:0; content:"&pq="; distance:0; reference:url,securelist.com/hrserv-apt-web-shell/111119/; reference:md5,d0fe27865ab271963e27973e81b77bae; classtype:trojan-activity; sid:2050029; rev:1; metadata:attack_target Web_Server, created_at 2024_01_12, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2024_01_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:dest_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; http.user_agent; content:"Googlebot-"; fast_pattern; nocase; content:!"Googlebot-News"; startswith; content:!"Googlebot-Image/1.0"; startswith; content:!"Googlebot-Video/1.0"; startswith; content:!"Mobile/2.1|3b| +http|3a|//www.google.com/bot.html)"; endswith; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:4; metadata:created_at 2012_07_26, updated_at 2024_01_27;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack"; flow:established,to_server; http.content_type; content:"application|2f|x-www-form-urlencoded"; nocase; startswith; http.request_body; pcre:"/([^=]+=[^&]*&){500}/O"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014045; rev:4; metadata:created_at 2011_12_30, performance_impact Significant, updated_at 2024_02_08;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; http.content_type; content:"multipart/form-data"; nocase; startswith; http.request_body; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/Osmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:4; metadata:created_at 2011_12_30, performance_impact Significant, updated_at 2024_02_08;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER xp_cmdshell Attempt in Cookie"; flow:established,to_server; http.cookie; content:"xp_cmdshell"; nocase; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=4072; classtype:web-application-attack; sid:2010119; rev:7; metadata:created_at 2010_07_30, updated_at 2024_02_08;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; http.header.raw; content:"Content-Length|3a 20|"; fast_pattern; content:"Content-Length|3a 20|"; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:4; metadata:created_at 2013_07_13, deprecation_reason Performance, performance_impact Significant, updated_at 2024_02_20;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; http.header.raw; content:"Transfer-Encoding|3a 20|"; fast_pattern; content:"Transfer-Encoding|3a 20|"; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:3; metadata:created_at 2013_07_13, deprecation_reason Performance, performance_impact Significant, updated_at 2024_02_20;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; http.user_agent; content:!"Mozilla|2f|5|2e|0|20 28|compatible|3b 20|Googlebot|2f|2|2e|1|3b 20 2b|http|3a 2f 2f|www|2e|google|2e|com|2f|bot|2e|html|29|"; depth:72; content:!"Googlebot|2f|2|2e|1|20 28 2b|http|3a 2f 2f|www|2e|google|2e|com|2f|bot|2e|html|29|"; depth:50; content:"Googlebot"; fast_pattern; nocase; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:5; metadata:created_at 2012_07_25, updated_at 2024_02_20;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"xmlrpc.php"; http.request_body; content:"methodCall"; fast_pattern; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/R"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; classtype:web-application-attack; sid:2002158; rev:15; metadata:created_at 2010_07_30, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Apache DDos UA Observed (DDos Apache) Outbound"; flow:established,to_server; http.user_agent; content:"DDos Apache"; startswith; classtype:attempted-dos; sid:2029983; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_21, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_10;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Asprox Spambot SQL-Injection Atempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"declare "; nocase; content:"char("; nocase; content:"exec(@"; fast_pattern; nocase; classtype:web-application-attack; sid:2011291; rev:4; metadata:created_at 2010_09_28, updated_at 2024_03_10;)

alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER AntSword Webshell Commands Inbound"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"antSword/v"; fast_pattern; startswith; http.request_body; content:"cmd="; startswith; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030036; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, signature_severity Major, updated_at 2024_03_10;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Heimdallbot Attack Tool Inbound"; flow:established,to_server; http.header; content:"Heimdallbot"; nocase; fast_pattern; threshold:type limit, count 1, seconds 60, track by_src; classtype:web-application-attack; sid:2020323; rev:5; metadata:created_at 2015_01_28, signature_severity Major, updated_at 2024_03_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)"; flow:established,to_server; http.user_agent; content:"NV32ts"; startswith; classtype:web-application-attack; sid:2009029; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2024_03_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER TIEHTTP User-Agent"; flow:established,to_server; http.user_agent; content:"tiehttp"; startswith; nocase; reference:url,www.torry.net/authorsmore.php?id=4292; classtype:web-application-activity; sid:2011759; rev:6; metadata:created_at 2010_07_30, updated_at 2024_03_12;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|BM6OAa1XCpH4x4"; fast_pattern; content:"SEnJYZXmyHhJG8JxC|0d|"; distance:1; within:18; http.header_names; content:"|0d 0a|HTTP_X_CNT|0d 0a|"; content:"|0d 0a|HTTP_X_CMD|0d 0a|"; classtype:attempted-admin; sid:2033788; rev:2; metadata:created_at 2021_08_25, deployment SSLDecrypt, signature_severity Major, updated_at 2024_03_21;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|zzdibweoQxffnDEi2UKacJlEekplJ7uwrt|0d|"; fast_pattern; http.header_names; content:"|0d 0a|HTTP_X_CNT|0d 0a|"; content:"|0d 0a|HTTP_X_CMD|0d 0a|"; classtype:attempted-admin; sid:2033789; rev:2; metadata:created_at 2021_08_25, deployment SSLDecrypt, signature_severity Major, updated_at 2024_03_21;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; sid:2010519; rev:5; metadata:created_at 2010_07_30, deprecation_reason Performance, performance_impact Significant, updated_at 2024_04_10;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; sid:2010521; rev:5; metadata:created_at 2010_07_30, deprecation_reason Performance, performance_impact Significant, updated_at 2024_04_10;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; sid:2010524; rev:5; metadata:created_at 2010_07_30, deprecation_reason Performance, performance_impact Significant, updated_at 2024_04_10;)

#alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; sid:2010526; rev:5; metadata:created_at 2010_07_30, deprecation_reason Performance, performance_impact Significant, updated_at 2024_04_10;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject M2"; flow:established,to_server; http.request_body; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2052794; rev:1; metadata:created_at 2024_05_21, confidence Medium, signature_severity Major, updated_at 2024_05_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject M1"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:3; metadata:created_at 2013_08_15, updated_at 2024_05_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns M1"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:3; metadata:created_at 2013_08_19, updated_at 2024_05_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns M2"; flow:established,to_server; http.request_body; content:"SELECT"; nocase; content:"information_schema.columns"; fast_pattern; distance:0; nocase; classtype:attempted-user; sid:2052795; rev:1; metadata:created_at 2024_05_21, confidence Medium, signature_severity Major, updated_at 2024_05_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer M2"; flow:established,to_server; http.header; content:"/dev/tcp/"; fast_pattern; nocase; classtype:bad-unknown; sid:2052796; rev:1; metadata:created_at 2024_05_21, confidence Medium, signature_severity Major, updated_at 2024_05_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer M3"; flow:established,to_server; http.request_body; content:"/dev/tcp/"; fast_pattern; nocase; classtype:bad-unknown; sid:2052797; rev:1; metadata:created_at 2024_05_21, confidence Medium, signature_severity Major, updated_at 2024_05_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer M1"; flow:established,to_server; http.uri; content:"/dev/tcp/"; fast_pattern; nocase; classtype:bad-unknown; sid:2019285; rev:5; metadata:created_at 2014_09_26, updated_at 2024_05_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"allow_url_include"; http.uri.raw; content:"php|3a 2f 2f|input"; http.request_body; content:"<?php"; fast_pattern; reference:cve,2002-0953; reference:cve,2024-4577; classtype:attempted-user; sid:2019957; rev:5; metadata:affected_product Any, attack_target Server, created_at 2014_12_17, deployment Datacenter, confidence High, signature_severity Major, tag Remote_File_Include, updated_at 2024_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar2) in HTTP Request Body"; flow:established,to_server; http.request_body; content:"varchar2("; nocase; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053441; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_06_11, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection CHAR() in HTTP Request Body M1"; flow:established,to_server; http.request_body; content:"CHAR("; nocase; pcre:"/^(?:[0-9]{2,3}|0x[0-9]{2,3})\x29(?:\x2b|\x2c|\x7c\x7c)/R"; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053443; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection CHAR() in HTTP Request Body M2"; flow:established,to_server; http.request_body; content:"CHAR("; nocase; pcre:"/^(?:[0-9]{2,3}|0x[0-9]{2,3})\x2c/R"; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053446; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection CHR() in HTTP Request Body M1"; flow:established,to_server; http.request_body; content:"CHR("; nocase; pcre:"/^(?:[0-9]{2,3}|0x[0-9]{2,3})\x29(?:\x2b|\x2c|\x7c\x7c)/R"; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053449; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection CHR() in HTTP Request Body M2"; flow:established,to_server; http.request_body; content:"CHR("; nocase; pcre:"/^(?:[0-9]{2,3}|0x[0-9]{2,3})\x2c/R"; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053452; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection sp_configure in HTTP Request Body"; flow:established,to_server; http.request_body; content:"sp_configure"; nocase; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053456; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar) in HTTP Request Body"; flow:established,to_server; http.request_body; content:"varchar("; fast_pattern; nocase; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053460; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (exec) in HTTP Request Body"; flow:established,to_server; http.request_body; content:"exec("; fast_pattern; nocase; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053461; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (declare) in HTTP Request Body"; flow:established,to_server; http.request_body; content:"DECLARE|20|"; fast_pattern; nocase; content:"CHAR("; nocase; content:"CAST("; nocase; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053462; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection INTO OUTFILE in HTTP Request Body"; flow:established,to_server; http.request_body; content:"INTO"; nocase; content:"OUTFILE"; fast_pattern; nocase; distance:0; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053463; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Obfuscated by REVERSE function in HTTP Request Body"; flow:established,to_server; http.request_body; content:"REVERSE"; nocase; pcre:"/^(?:\x28|\x20+\x28)/R"; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053464; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection SELECT CONCAT in HTTP Request Body"; flow:established,to_server; http.request_body; content:"SELECT"; nocase; content:"CONCAT"; nocase; fast_pattern; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053465; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection UNION SELECT in HTTP Request Body"; flow:established,to_server; http.request_body; content:"UNION"; fast_pattern; nocase; content:"SELECT"; nocase; distance:0; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053468; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection SELECT CAST in HTTP URI"; flow:established,to_server; http.request_line; content:"SELECT"; nocase; content:"CAST"; nocase; distance:0; fast_pattern; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053467; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_12, reviewed_at 2024_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET in HTTP URI"; flow:established,to_server; http.request_line; content:"UPDATE"; fast_pattern; nocase; content:"SET"; nocase; distance:0; pcre:"/\WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2006447; rev:17; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, performance_impact Significant, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function in HTTP URI"; flow:established,to_server; http.request_line; content:"REVERSE"; nocase; pcre:"/^(?:\x28|\x20+\x28)/R"; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; classtype:web-application-attack; sid:2011122; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET  any (msg:"ET WEB_SERVER Possible SQL Injection WAITFOR DELAY in HTTP URI"; flow:established,to_server; http.request_line; content:"WAITFOR"; nocase; fast_pattern; content:"DELAY"; nocase; distance:0; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053479; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_06_12, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL injection WAITFOR DELAY in HTTP Request Body"; flow:established,to_server; http.request_body; content:"WAITFOR"; nocase; fast_pattern; content:"DELAY"; nocase; distance:0; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053480; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_06_12, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE"; flow:established,to_server; http.request_line; content:"LOAD_FILE("; nocase; fast_pattern; reference:url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016936; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, performance_impact Moderate, signature_severity Major, tag SQL_Injection, updated_at 2024_06_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection INSERT INTO in HTTP Request Body"; flow:established,to_server; http.request_body; content:"INSERT"; fast_pattern; nocase; content:"INTO"; nocase; within:20; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053458; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_07_22, reviewed_at 2024_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection SELECT CAST in HTTP Request Body"; flow:established,to_server; http.request_body; content:"SELECT"; nocase; content:"CAST"; nocase; within:20; fast_pattern; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053466; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_07_22, reviewed_at 2024_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection DELETE FROM in HTTP Request Body"; flow:established,to_server; http.request_body; content:"DELETE"; fast_pattern; nocase; content:"FROM"; nocase; within:20; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053457; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_07_22, reviewed_at 2024_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection SELECT FROM in HTTP Request Body"; flow:established,to_server; http.request_body; content:"SELECT"; fast_pattern; nocase; content:"FROM"; nocase; within:100; pcre:"/SELECT.+FROM.+(?:\x3b|\x253b)/i"; reference:url,owasp.org/www-community/attacks/SQL_Injection; classtype:attempted-admin; sid:2053459; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_06_11, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_07_25, reviewed_at 2024_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM in HTTP URI"; flow:established,to_server; http.request_line; content:"SELECT"; fast_pattern; nocase; content:"FROM"; nocase; within:100; pcre:"/SELECT.+FROM.+(\x3b|\x253b)/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2006445; rev:17; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, performance_impact Significant, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO in HTTP URI"; flow:established,to_server; http.request_line; content:"INSERT"; fast_pattern; nocase; content:"INTO"; nocase; within:100; pcre:"/INSERT.+INTO.+(?:\x3b|\x253b)/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2006444; rev:17; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, performance_impact Moderate, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M1 - UUID Leak Via servermanager.cfc getHeartBeat Method (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:68; content:"/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat"; fast_pattern; reference:url,jeva.cc/2973.html; reference:cve,2024-20767; classtype:attempted-admin; sid:2056086; rev:1; metadata:affected_product Adobe_Coldfusion, tls_state TLSDecrypt, created_at 2024_09_23, cve CVE_2024_20767, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_23; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pms?module=heap_dump&username="; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"action=take"; endswith; http.header_names; content:"|0d 0a|uuid|0d 0a|"; nocase; reference:url,jeva.cc/2973.html; reference:cve,2024-20767; classtype:attempted-admin; sid:2056087; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_23, cve CVE_2024_20767, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_23; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SUBSTR"; distance:0; nocase; fast_pattern; pcre:"/SELECT.{1,100}SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; classtype:web-application-attack; sid:2010285; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2024_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; classtype:web-application-attack; sid:2002685; rev:8; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.+\.\..+\|/Ui"; reference:bugtraq,19276; classtype:web-application-attack; sid:2003087; rev:9; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/OvCgi/"; nocase; content:"/OpenView5.exe?"; nocase; distance:0; fast_pattern; content:"Action=../../"; nocase; distance:0; http.protocol; content:"HTTP/1."; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; classtype:web-application-attack; sid:2008171; rev:13; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/axis2/services/Version?"; http_uri; nocase; content:"xsd="; http_uri; nocase; content:"../"; depth:200; reference:bugtraq,40343; classtype:web-application-attack; sid:2011160; rev:6; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; content:"func="; nocase; content:"root="; nocase; content:"path="; nocase; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:4; metadata:created_at 2012_07_07, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cgi/url_redirect.cgi"; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017688; rev:4; metadata:created_at 2013_11_07, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal"; flow:established,to_server; content:"path="; nocase; pcre:"/^[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; http.uri; content:"/cfcexplorer.cfc"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:attempted-user; sid:2017875; rev:5; metadata:created_at 2013_12_17, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)"; flow:to_server,established; http.uri.raw; content:"/_plugin/"; fast_pattern; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ri"; reference:cve,2015-3337; classtype:web-application-attack; sid:2021138; rev:6; metadata:created_at 2015_05_22, cve CVE_2015_3337, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M2 - logging Module Directory Traversal Attempt (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pms?module=logging&file_name="; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"&number_of_lines="; distance:0; http.header_names; content:"|0d 0a|uuid|0d 0a|"; nocase; reference:url,jeva.cc/2973.html; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-20767; reference:cve,2024-20767; classtype:attempted-user; sid:2053030; rev:3; metadata:affected_product Adobe_Coldfusion, created_at 2024_05_30, cve CVE_2024_20767, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat directory traversal attempt"; flow:to_server,established; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:2101055; rev:14; metadata:created_at 2010_09_23, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:14; metadata:created_at 2010_09_23, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2101945; rev:9; metadata:created_at 2010_09_23, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible BASE Authentication Bypass Attempt"; flow:established,to_server; http.cookie; content:"BASERole="; content:"794b69ad33015df95578d5f4a19d390e"; within:40; reference:url,seclists.org/bugtraq/2009/Jun/0218.html; reference:url,seclists.org/bugtraq/2009/Jun/0217.html; classtype:web-application-attack; sid:2009677; rev:9; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:to_server,established; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; http.uri; content:"/CreatingUserAccounts.aspx"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:5; metadata:created_at 2012_01_03, cve CVE_2011_3416, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; nocase; http.uri; content:"/CFIDE/wizards/common/_logintowizard.cfm"; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; classtype:web-application-attack; sid:2011358; rev:6; metadata:created_at 2010_09_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/archives/index.cfm"; nocase; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; classtype:web-application-attack; sid:2011359; rev:7; metadata:created_at 2010_09_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/entman/index.cfm"; nocase; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; classtype:web-application-attack; sid:2011360; rev:8; metadata:created_at 2010_09_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/enter.cfm"; nocase; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; classtype:web-application-attack; sid:2011362; rev:7; metadata:created_at 2010_09_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM in HTTP URI"; flow:established,to_server; http.request_line; content:"DELETE"; fast_pattern; nocase; content:"FROM"; nocase; within:100; pcre:"/DELETE.+FROM.+(?:\x3b|\x253b)/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2006443; rev:18; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT in HTTP URI"; flow:established,to_server; http.request_line; content:"UNION"; fast_pattern; nocase; content:"SELECT"; nocase; within:100; pcre:"/UNION.+SELECT.+(?:\x3b|\x253b)/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2006446; rev:18; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar) in HTTP URI"; flow:established,to_server; http.request_line; content:"varchar("; fast_pattern; nocase; classtype:attempted-admin; sid:2008175; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (exec) in HTTP URI"; flow:established,to_server; http.request_line; content:"exec("; fast_pattern; nocase; classtype:attempted-admin; sid:2008176; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare) in HTTP URI"; flow:established,to_server; http.request_line; content:"DECLARE|20|"; fast_pattern; nocase; content:"CHAR("; nocase; content:"CAST("; nocase; classtype:attempted-admin; sid:2008467; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt in HTTP URI"; flow:established,to_server; http.request_line; content:"INTO"; nocase; content:"OUTFILE"; fast_pattern; nocase; within:100; pcre:"/INSERT.+INTO.+(?:\x3b|\x253b)/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; classtype:web-application-attack; sid:2010037; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection SELECT CONCAT in HTTP URI"; flow:established,to_server; http.request_line; content:"SELECT"; nocase; content:"CONCAT"; nocase; within:100; fast_pattern; pcre:"/SELECT.+CONCAT.+(?:\x3b|\x253b)/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; classtype:web-application-attack; sid:2011042; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Using MSSQL sp_configure Command in HTTP URI"; flow:established,to_server; http.request_line; content:"sp_configure"; nocase; reference:url,technet.microsoft.com/en-us/library/ms188787.aspx; reference:url,technet.microsoft.com/en-us/library/ms190693.aspx; classtype:web-application-attack; sid:2011424; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related in HTTP URI"; flow:established,to_server; http.request_line; content:"CHAR("; nocase; pcre:"/^[0-9]{2,3}\)char\([^\x0d\x0a\x20]{98}/Ri"; classtype:attempted-admin; sid:2014352; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar2) in HTTP URI"; flow:established,to_server; http.request_line; content:"varchar2("; nocase; classtype:attempted-admin; sid:2016596; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_03_20, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2024_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)