# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: info.rules,v 1.15.2.1 2003/02/07 22:04:52 cazz Exp $
#-----------
# INFO RULES
#-----------

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; content:"Connection closed by foreign host"; nocase; flow:from_server,established; classtype:unknown; sid:488;  rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No Password"; content: "PASS"; nocase; offset:0; depth:4; content:"|0a|"; within:3; reference:arachnids,322; flow:from_client,established; classtype:unknown; sid:489; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; content:"BattleMail"; flow:to_server,established; classtype:unknown; sid:490;  rev:5;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login "; nocase; flow:from_server,established; classtype:bad-unknown; sid:491; rev:5;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login failed";  nocase; flow:from_server,established; classtype:bad-unknown; sid:492;  rev:5;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login incorrect"; nocase; flow:from_server,established; classtype:bad-unknown; sid:1251;  rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; content:"Welcome!psyBNC@lam3rz.de"; flow:from_server,established; classtype:bad-unknown; sid:493;  rev:4;)