alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; metadata:service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1537; rev:9;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; metadata:service http; reference:cve,2000-0432; reference:nessus,10506; classtype:attempted-recon; sid:1456; rev:7;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; metadata:service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1701; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar.pl access"; flow:to_server,established; uricontent:"calendar"; nocase; pcre:"/calendar(|[-_]admin)\.pl/Ui"; metadata:service http; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; metadata:service http; classtype:attempted-recon; sid:882; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; metadata:service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; metadata:service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; metadata:service http; classtype:attempted-recon; sid:870; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; metadata:service http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; metadata:service http; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:10;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; metadata:service http; classtype:attempted-recon; sid:878; rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; metadata:service http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:9;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; metadata:service http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:9;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; metadata:service http; classtype:attempted-recon; sid:881; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; metadata:service http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; metadata:service http; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:12;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; metadata:service http; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:15;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; metadata:service http; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:12;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; metadata:service http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; metadata:service http; classtype:attempted-recon; sid:888; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; metadata:service http; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:11;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; metadata:service http; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:11;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; metadata:service http; classtype:attempted-recon; sid:891; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; metadata:service http; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:11;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; metadata:service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; metadata:service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:9;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; metadata:service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; metadata:service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; metadata:service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; metadata:service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; metadata:service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; metadata:service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; metadata:service http; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; metadata:service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-attack; sid:1397; rev:9;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; metadata:service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:12;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; metadata:service http; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:10;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; metadata:service http; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:11;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; metadata:service http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:8;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; metadata:service http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:10;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; metadata:service http; reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614; classtype:web-application-attack; sid:899; rev:10;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; metadata:service http; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; metadata:service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:12;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; metadata:service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:11;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; metadata:service http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:10;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; metadata:service http; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:9;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; metadata:service http; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:11;)