# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: deleted.rules,v 1.14.2.2 2003/02/09 03:27:29 cazz Exp $
#-------------
# DELETED RULES
#-------------
# These signatures have been deleted for various reasons, but we are keeping
# them here for historical purposes.

# Duplicate to 332
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0";reference:arachnids,378; classtype:attempted-recon; sid:325; rev:3;)

# Duplicate of 512
alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; offset:5; depth:13; classtype:unsuccessful-user; sid:511;  rev:4;)

# Duplicate of 514
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content: "GET "; depth: 8; nocase;reference:arachnids,460; classtype:bad-unknown; sid:506; rev:3;)

# Duplicate of 557
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;)

# Duplicate of 559
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:4;)

# Duplicate of 844
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121;  rev:4;)

# Yeah, so the one site that was vulnerable to edit.pl aint no more.
# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access";flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855;  rev:5;)

# duplicate of 987
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; classtype:web-application-activity; reference:bugtraq,4474; reference:cve,CAN-2002-0071; sid:1619;  rev:4;)

# webmasters suck, so this happens ever so often.  Its really not that bad,
# so lets disable it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114;  rev:5;)

# dup of 1660
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749;  rev:3;)

# dup
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; content:"GET "; offset:0; depth:4; uricontent:"/../../../../../../../../../../../"; flow:to_server,established; reference:bugtraq,2282; reference:cve,CAN-2001-0252; classtype:web-application-attack; sid:1049; rev:7;)


# Falses WAAAYYY too often.
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; content:"Directory of"; nocase; flow:from_server,established; classtype:unknown; sid:496; rev:7;)

# Replaced with 1801,1802,1803,1804
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3a|"; content:"|0a|"; content:"|00|"; classtype:web-application-attack; reference:bugtraq,4476; sid:1768; rev:3;)

# duplicate of sid:1673
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;)

# Port based only sigs suck, this is why stream4 has flow logs
alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;)

# basicly duplicate of 330 
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; flow:to_server,established; content: "@localhost|0A|"; dsize:11; reference:arachnids,11; classtype:attempted-recon; sid:329;  rev:6;)

# duplicate of 1478
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;)

# duplicate of 1248
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; uricontent:"/fp30reg.dll"; nocase; dsize: >258; flow:to_server,established; classtype:web-application-attack; reference:arachnids,555; reference:bugtraq,2906; reference:cve,CAN-2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.asp; sid:1246;  rev:8;)

# duplicate of 1249
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; uricontent:"/fp4areg.dll"; nocase; dsize: >259; flow:to_server,established; reference:cve,CAN-2001-0341; reference:bugtraq,2906; classtype:web-application-attack; sid:1247; rev:7;)

# duplicate of 1755
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; flow:to_server,established; content:" x PARTIAL 1 BODY["; dsize:>1092; reference:bugtraq,4713; classtype:misc-attack; sid:1780; rev:5;)

# duplicate of 1538
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; flow:to_server,established; content: "AUTHINFO USER"; nocase; dsize: >512; depth:16; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-user; sid:291;  rev:6;)

# spp_conversation takes care of this now
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:3;)

# This rule looks for the exploit for w3-msql, but very badly
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86  access"; flow:to_server,established; uricontent: "/bin/shA-cA/usr/openwin"; nocase; reference:cve,CVE-1999-0276; reference:arachnids,211;classtype:attempted-recon; sid:874;  rev:4;)


alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|"; classtype:attempted-admin; sid:318; rev:3; reference:bugtraq,324; reference:cve,CVE-1999-0914;)
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|"; reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798; reference:cve,CAN-1999-0389; classtype:attempted-admin; sid:319; rev:2;)


# duplicate of 109
alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401; sid:114;  classtype:misc-activity; rev:3;)

# duplicate of 110
alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content: "GetInfo|0d|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:3;)


# we have a backorifice preprocessor
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112;  classtype:misc-activity; rev:3;)

# we have a backorifice preprocessor
alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";  reference:arachnids,399; sid:116;  classtype:misc-activity; rev:3;)



alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; sid:164;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:165;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; sid:166;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";  reference:arachnids,106; sid:167; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hi de/Show Desktop Client Request"; content:"33";  reference:arachnids,106; sid:168 ;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; sid:169;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";  reference:arachnids,106; sid:170;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";  reference:arachnids,106; sid:171;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; sid:172;  classtype:misc-activity; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; sid:173;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";  reference:arachnids,106; sid:174;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; sid:175;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";  reference:arachnids,106; sid:176;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";  reference:arachnids,106; sid:177;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21";  reference:arachnids,106; sid:179; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64";  reference:arachnids,106; sid:180;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; sid:181; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; sid:182;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; sid:122;  classtype:misc-activity; rev:4;)
  alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; sid:124;  classtype:misc-activity; rev:4;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";  reference:arachnids,106; sid:125; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12";  reference:arachnids,106; sid:126;  classtype:misc-activity; rev:4;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; sid:127;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; sid:128;  classtype:misc-activity; rev:4;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - ";  reference:arachnids,106; sid:129;  classtype:misc-activity; rev:4;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; sid:130; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130";  reference:arachnids,106; sid:131;  classtype:misc-activity; rev:4;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; sid:132;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; sid:133; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17";  reference:arachnids,106; sid:134;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; sid:135;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; sid:136;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911";  reference:arachnids,106; sid:137;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; sid:138;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";  reference:arachnids,106; sid:140;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";  reference:arachnids,106; sid:142;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; sid:143; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; sid:149;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; sid:150;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network";  reference:arachnids,106; sid:151;  classtype:misc-activity; rev:4;)
alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; sid:154;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; sid:156;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-act ivity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07";  reference:arachnids,106; sid:186; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; sid:187;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38";  reference:arachnids,106; sid:188;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23";  reference:arachnids,106; sid:189; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24";  reference:arachnids,106; sid:190; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; sid:191;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26";  reference:arachnids,106; sid:192;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; sid:193;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; sid:194;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";  reference:arachnids,106; sid:196;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; sid:197; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; sid:198; classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; sid:199;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; sid:200;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";  reference:arachnids,106; sid:201;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100";  reference:arachnids,106; sid:202;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117";  reference:arachnids,106; sid:203;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118";  reference:arachnids,106; sid:204;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199";  reference:arachnids,106; sid:205;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; sid:206;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; sid:207;  classtype:misc-activity; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16; reference:arachnids,277; reference:cve,CVE-1999-0009; reference:bugtraq,134; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:4;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";  reference:arachnids,106; sid:148;  classtype:misc-activity; rev:4;)

# The following ftp rules look for specific exploits, which are not needed now
# that initial protocol decoding is available.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:cve,CVE-2000-0573; reference:bugtraq,1387; reference:arachnids,453; classtype:attempted-user; sid:338;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|"; reference:cve,CVE-2001-0053; reference:bugtraq,2124; reference:arachnids,446; classtype:attempted-user; sid:339;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5057 440A 2F69|"; classtype:attempted-admin; sid:340;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5858 5858 582F|"; classtype:attempted-admin; sid:341;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content: "|901BC00F 82102017 91D02008|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,451; classtype:attempted-user; sid:342;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-admin; sid:343;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content: "|31c031db 31c9b046 cd80 31c031db|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,287; classtype:attempted-admin; sid:344;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established;  content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,285; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-recon; sid:346;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"|2e2e3131|venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:349;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31c0 31db b017 cd80 31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:350;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31db 89d8 b017 cd80 eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:351;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352;  rev:4;)