alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; flow:to_server; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:11;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:cve,1999-0210; classtype:attempted-recon; sid:1951; rev:7;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; sid:1952; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; sid:2018; rev:5;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; sid:2019; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; sid:2020; rev:5;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; sid:2021; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; sid:2022; rev:5;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; sid:2023; rev:6;)# amdalert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; sid:1953; rev:6;)alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; sid:1954; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; sid:1955; rev:7;)alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:10;)# cmsdalert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:10;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:12;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:10;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,5356; reference:cve,2002-0391; reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:11;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,5356; reference:cve,2002-0391; reference:nessus,11418; classtype:attempted-admin; sid:2095; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:13;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:12;)# sadmindalert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:11;)alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:9;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:15;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:12;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1957; rev:11;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1958; rev:11;)# statdalert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:11;)alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:12;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:15;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1914; rev:14;)