# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: web-frontpage.rules,v 1.21.2.1 2002/11/17 04:40:09 cazz Exp $
#--------------------
# WEB-FRONTPAGE RULES
#--------------------

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; uricontent:"/fp30reg.dll"; nocase; flow:to_server,established; classtype:web-application-activity; reference:arachnids,555; reference:bugtraq,2906; reference:cve,CAN-2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.asp; sid:1248;  rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; uricontent: "/fp4areg.dll"; nocase; flow:to_server,established; reference:cve,CAN-2001-0341; reference:bugtraq,2906; classtype:web-application-activity; sid:1249;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; classtype:web-application-activity; sid:937;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; classtype:web-application-activity; sid:939;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; uricontent: "/_vti_bin/shtml.dll"; nocase; flow:to_server,established; reference:arachnids,292; classtype:web-application-activity; sid:940;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access";flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access";flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access";flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access";flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access";flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access";flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access";flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access";flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; classtype:web-application-activity; sid:948;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access";flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access";flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:cve,CVE-1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access";flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access";flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; classtype:web-application-activity; sid:954;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access";flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; classtype:web-application-activity; sid:955;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access";flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access";flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access";flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; classtype:web-application-activity; sid:958;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd";flow:to_server,established; uricontent:"/service.pwd"; nocase;reference:bugtraq,1205; classtype:web-application-activity; sid:959;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access";flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access";flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; classtype:web-application-activity; sid:961;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:nessus,10405; reference:cve,CAN-2000-0413; reference:cve,CAN-2000-0709; reference:bugtraq,1608; reference:bugtraq,1174; classtype:web-application-activity; sid:962; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; classtype:web-application-activity; sid:963;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access";flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; classtype:web-application-activity; sid:965;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established; content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989; reference:cve,CAN-2000-0153; reference:arachnids,248; classtype:web-application-attack; sid:966;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent: "/dvwssr.dll"; nocase; reference:bugtraq,1108; reference:cve,CVE-2000-0260; reference:arachnids,271; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.asp; classtype:web-application-activity; sid:967;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access";flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access";flow:to_server,established; uricontent:"/_vti_bin/"; nocase; classtype:web-application-activity; sid:1288;  rev:5;)