# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: rpc.rules,v 1.35.2.3 2003/03/04 21:47:54 cazz Exp $
#----------
# RPC RULES
#----------

alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; content:"%x %x"; distance:16; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack; sid:1890; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; content:"%x %x"; distance:16; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack; sid:1891; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth:32; reference:cve,CVE-1999-0704; reference:arachnids,217; classtype:attempted-admin; sid:573;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap TCP proxy attempt"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1922; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_sever,established; content:"|00 04 93 F3|"; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UDP proxy attempt"; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP cachefsd request"; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP cachefsd request"; flow:to_server,established; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content: "|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flow:to_server,established; content:"|0000 0f9c|"; offset:0; depth:4; content:"|00018799|"; offset: 16; depth:4; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC tcp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; flow:to_server,established; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593;  rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC udp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rusers query"; content:"|0000000000000002000186A2|"; offset:5; reference:cve,CVE-1999-0626; reference:arachnids,136; classtype:attempted-recon; sid:612; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278;  rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS TCP"; flow:to_server,established; content:"|01 86 A3 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1960; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS UDP"; content:"|01 86 A3 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1959; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA TCP"; flow:to_server,established; content:"|01 86 AB 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1962; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA UDP"; content:"|01 86 AB 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1961; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; flow:to_server,established; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19; classtype:rpc-portmap-decode; flow:to_server,established; sid:1263;  rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19;classtype:rpc-portmap-decode; sid:576; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; flow:to_server,established; sid:1264;  rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; flow:to_server,established; sid:1265;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request espd"; rpc:391029,*,*; flow:to_server,established; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; flow:to_server,established; sid:1266; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; flow:to_server,established; sid:1267;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; flow:to_server,established; sid:1268;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; flow:to_server,established; sid:1269;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; flow:to_server,established; sid:1270;  rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|"; offset:40; depth:8; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|";offset:40;depth:8; reference:arachnids,133; reference:cve,CVE-1999-0626; classtype:rpc-portmap-decode; flow:to_server,established; sid:1271;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; flow:to_server,established; sid:1272;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; flow:to_server,established; sid:1273;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request status"; content:"|01 86 B8 00 00|";offset:40;depth:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; flow:to_server,established; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298;  rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|"; offset:40;depth:8; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:588; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|";offset:40;depth:8; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:arachnids,24; classtype:rpc-portmap-decode; flow:to_server,established; sid:1274;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; flow:to_server,established; sid:1275;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; flow:to_server,established; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297;  rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; flow:to_server,established; sid:1276;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; flow:to_server,established; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591;  rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP rwalld request"; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1732; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP rwalld request"; flow:to_server,established; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1733;  rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; flow:to_server,established; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:571;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flow:to_server,established; dsize: >999; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:570;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv solaris"; flow:to_server,established; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP kcms_server request"; content:"|01 87 7D 00 00|"; offset:40; depth:8; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP kcms_server request"; flow:to_server,established; content:"|01 87 7D 00 00|"; offset:40; depth:8; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87 7D|"; offset: 16; content:"/../"; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:1;)