#
# $Id: emerging-web-server.rules $
# Emerging Threats web server rules. 
#
# These are for direct attacks against servers and server based applications, some scanning.
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2010, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#by Kevin ross and mike cox
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; uricontent:"/utility.cgi?testType="; nocase; uricontent:"IP="; nocase; uricontent:"|7C 7C|"; pcre:"/\x7C\x7C.+[a-z]/Ui"; classtype:attempted-admin; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; reference:url,doc.emergingthreats.net/2010159; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_3Com; sid:2010159; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/imc/login.jsf"; nocase; uricontent:"loginForm"; nocase; uricontent:"javax.faces.ViewState="; nocase; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; reference:url,doc.emergingthreats.net/2011145; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_3Com; sid:2011145; rev:2;)

#by kevin ross and evilghost
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; reference:url,doc.emergingthreats.net/2010281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Apache; sid:2010281; rev:2;)

#by mex
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Asprox Spambot SQL-Injection Atempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"declare "; nocase; uricontent:"char("; nocase; uricontent:"exec(@"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011291; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Asprox; sid:2011291; rev:2;)

#by Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; uricontent:"/awstats.pl?"; nocase; uricontent:"/migrate"; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Awstats; sid:2002900; rev:5;)
#by stillsecure
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/axis2/services/Version?"; nocase; uricontent:"xsd="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:bugtraq,40343; reference:url,doc.emergingthreats.net/2011160; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Axis2; sid:2011160; rev:2;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible BASE Authentication Bypass Attempt"; flow:to_server,established; content:"|0d 0a|cookie\:"; nocase; content:"BASERole="; content:"794b69ad33015df95578d5f4a19d390e"; within:40; classtype:web-application-attack; reference:url,seclists.org/bugtraq/2009/Jun/0218.html; reference:url,seclists.org/bugtraq/2009/Jun/0217.html; reference:url,doc.emergingthreats.net/2009677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_BASE; sid:2009677; rev:4;)

# Submitted 2005-09-04 by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Barracuda_Spam_Firewall; sid:2002362; rev:5;)

# Submitted 2005-11-22 by David Maciejak (with thanks to Nicob for pointing it out)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002685; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Barracuda_Spam_Firewall; sid:2002685; rev:5;)

# Submitted 2008-08-14 by David Maciejak
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution"; flow: to_server,established; uricontent:"/cgi-bin/preview_email.cgi?"; nocase; pcre:"/file=.*\|/Ui"; reference:bugtraq,19276; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2003086; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Barracuda_Spam_Firewall; sid:2003086; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt"; flow: to_server,established; uricontent:"/cgi-bin/preview_email.cgi?"; nocase; pcre:"/file=.+\.\..+\|/Ui"; reference:bugtraq,19276; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2003087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Barracuda_Spam_Firewall; sid:2003087; rev:6;)

#kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; uricontent:"email|3D|"; nocase; uricontent:"hostname|3D|"; nocase; uricontent:"default|5F|domain|3D|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37248/info; reference:url,doc.emergingthreats.net/2010462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Barracuda_Spam_Firewall; sid:2010462; rev:2;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"</script>"; nocase; classtype:web-application-attack; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_CSS; sid:2009714; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"onmouseover="; nocase; classtype:web-application-attack; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; reference:url,doc.emergingthreats.net/2009715; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_CSS; sid:2009715; rev:4;)

#by Jared Braverman
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; content:"|0d 0a|User-Agent\: CZ32ts|0d 0a|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009029; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:2010621; rev:2;)

# New variant, spotted by Larry Wichman
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; content:"|0d 0a|User-Agent\: czxt2s|0d 0a|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011174; rev:1;)

# 2010-07-08: Submitted by Mike Cox
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011175; rev:4;)

#by mareadmin
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like planetwork)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| plaNETWORK Bot Search"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011243; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11\; U\; SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011244; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011244; rev:4;)

#by eric romang
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Jcomers Bot scan"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011285; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011286; rev:4;)


#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; classtype:attempted-dos; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cherokee; sid:2010229; rev:2;)

#by Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP set enable password attack"; flow:established,to_server; uricontent:"/configure/"; uricontent:"/enable/"; classtype:web-application-attack; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; reference:url,doc.emergingthreats.net/2002721; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2002721; rev:5;)

#by tinytwitty
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern"; flow:established,to_server; uricontent:"/CCMAdmin/serverlist.asp?"; nocase; uricontent:"pattern="; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2832; reference:url,www.secunia.com/advisories/25377; reference:url,doc.emergingthreats.net/2004556; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2004556; rev:6;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; uricontent:"|2B|CSCOE|2B 2F|files|2F|browse|2E|html"; nocase; uricontent:"code|3D|init"; nocase; uricontent:"path|3D|ftp"; nocase; classtype:attempted-user; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; reference:url,doc.emergingthreats.net/2010457; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010457; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010460; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010460; rev:3;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; uricontent:"/servlet/JavascriptProbe"; nocase; nocase; uricontent:"documentElement=true"; nocase; uricontent:"regexp=true"; nocase; uricontent:"frames=true"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010622; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; uricontent:"/level/15/exec/-/"; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; classtype:web-application-attack; reference:url,articles.techrepublic.com.com/5100-10878_11-6039967.html; reference:url,doc.emergingthreats.net/2010623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010623; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; classtype:web-application-attack; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010730; rev:2;)

#by mareadmin
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/CFIDE/wizards/common/_logintowizard.cfm"; content:"locale=%00../../"; nocase; classtype:web-application-attack; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; reference:url,doc.emergingthreats.net/2011358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Coldfusion; sid:2011358; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/CFIDE/administrator/archives/index.cfm"; content:"locale=%00../../"; nocase; classtype:web-application-attack; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; reference:url,doc.emergingthreats.net/2011359; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Coldfusion; sid:2011359; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/CFIDE/administrator/entman/index.cfm"; content:"locale=%00../../"; nocase; classtype:web-application-attack; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; reference:url,doc.emergingthreats.net/2011360; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Coldfusion; sid:2011360; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 4/5)"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/cfide/install.cfm"; content:"locale=%00../../"; nocase; classtype:web-application-attack; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; reference:url,doc.emergingthreats.net/2011361; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Coldfusion; sid:2011361; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/CFIDE/administrator/enter.cfm"; content:"locale=%00../../"; nocase; classtype:web-application-attack; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; reference:url,doc.emergingthreats.net/2011362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Coldfusion; sid:2011362; rev:2;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible UNION SELECT SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"UNION%20"; within:200; nocase; content:"SELECT"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]+UNION.+SELECT/i"; classtype:web-application-attack; reference:url,www.w3schools.com/sql/sql_union.asp; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009770; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cookie_SQL_Injection; sid:2009770; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SELECT FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0d\x0aCookie\x3a[^\n]+SELECT.+FROM/i"; classtype:web-application-attack; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cookie_SQL_Injection; sid:2009771; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DELETE FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"DELETE%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]DELETE.+FROM/i"; classtype:web-application-attack; reference:url,www.w3schools.com/Sql/sql_delete.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009772; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cookie_SQL_Injection; sid:2009772; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT INTO SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INSERT%20"; nocase; within:200; content:"INTO"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INSERT.+INTO/i"; classtype:web-application-attack; reference:url,www.w3schools.com/SQL/sql_insert.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009773; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cookie_SQL_Injection; sid:2009773; rev:35;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INTO%20"; nocase; within:200; content:"OUTFILE"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INTO.+OUTFILE/i"; classtype:web-application-attack; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cookie_SQL_Injection; sid:2010038; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER xp_cmdshell Attempt in Cookie"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"xp_cmdshell"; nocase; within:200; pcre:"/\x0a\x0dCookie\x3a[^\n]+xp_cmdshell/i"; classtype:web-application-attack; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=4072; reference:url,doc.emergingthreats.net/2010119; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cookie_SQL_Injection; sid:2010119; rev:4;)

#by wolvee
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure"; flow:to_server,established; content:"GET "; depth:4; uricontent:"lastvist.html?"; nocase; uricontent:"domain="; nocase; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9039; reference:bugtraq,35518; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009484; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cpanel; sid:2009484; rev:6;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible DD-WRT Command Execution Attack"; flow:to_server,established; uricontent:"|2F|cgi|2D|bin|2F 3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/Ui"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,www.securityfocus.com/bid/35742; reference:url,doc.emergingthreats.net/2009678; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_DD-WRT; sid:2009678; rev:5;)

#some kind of robot/scripted web scanner. Some reports that it's looking for awstats installs
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; content:"User-Agent\: DataCha0s"; nocase; classtype:web-application-activity; reference:url,www.internetofficer.com/web-robot/datacha0s.html; reference:url,doc.emergingthreats.net/2003616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_DataCha0s; sid:2003616; rev:35;)


#by kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/HNAP1/"; nocase; content:"SOAPAction|3A|"; nocase; content:"DeviceSettings"; within:100; nocase; pcre:"/SoapAction\x3A.+\x2FHNAP1\x2F(set|get)DeviceSettings/si"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Dlink; sid:2010698; rev:2;)

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; uricontent:"OpenForm"; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Domino_XSS; sid:2002376; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino Src XSS attempt"; flow:to_server,established; uricontent:"OpenFrameSet"; nocase; pcre:"/src=.*\"><\/FRAMESET>.*<script>.*<\/script>/iU"; reference:bugtraq,14846; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Domino_XSS; sid:2002377; rev:8;)

#by mike cox
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Error_XSS; sid:2010513; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 403 Forbidden|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010515; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Error_XSS; sid:2010515; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010517; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Error_XSS; sid:2010517; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Error_XSS; sid:2010519; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010521; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Error_XSS; sid:2010521; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Error_XSS; sid:2010524; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Error_XSS; sid:2010526; rev:2;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; uricontent:"/cmd.exe"; nocase; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009361; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_General; sid:2009361; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt"; flow:to_server,established; uricontent:"/system32/"; nocase; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_General; sid:2009362; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Suspicious Chmod Usage in URI"; flow:to_server,established; uricontent:"chmod"; nocase; pcre:"/chmod.([r|w|x|1-7])/Ui"; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2009363; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_General; sid:2009363; rev:4;)

#by kevin ross
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011289; rev:3;)
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest"; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011287; rev:2;)
alert tcp $HTTP_SERVERS any -> any $HTTP_PORTS (msg:"ET WEB_SERVER Possible Request for Gootkit Iframe Script from Local Webserver"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/scripts/iframe2.script"; nocase; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011288; rev:4;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/support_param.html/config"; nocase; uricontent:"Admin_Name=&Admin_Phone="; nocase; uricontent:"Product_URL="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/Ui"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; reference:url,doc.emergingthreats.net/2010919; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_HP; sid:2010919; rev:2;)

#by David Maciejak
#Requires port 3443 to be included in http_inspect ports
alert tcp $EXTERNAL_NET any -> $HOME_NET 3443 (msg:"ET WEB_SERVER HP OpenView Network Node Manager Remote Command Execution Attempt"; flow:to_server,established; content:"/OvCgi/connectedNodes.ovpl?"; nocase; pcre:"/node=.*\|.+\|/i"; reference:bugtraq,14662; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002365; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_HP_Openview; sid:2002365; rev:9;)

#by Akash Mahajan at Stillsecure
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/OvCgi/"; nocase; uricontent:"/OpenView5.exe?"; nocase; content:"Action=../../"; content:" HTTP/1"; distance:0; within:200; classtype:web-application-attack; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; reference:url,doc.emergingthreats.net/2008171; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_HP_Openview; sid:2008171; rev:6;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/OvCgi/Main/Snmp.exe"; nocase; content:"Host="; nocase; distance:0; content:"Oid="; nocase; within:50; isdataat:600,relative; distance:0; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; classtype:web-application-attack; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_HP_Openview; sid:2010687; rev:3;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/OvCgi/ovalarm.exe"; nocase; uricontent:"OVABverbose="; nocase; content:"Accept-Language|3A 20|"; nocase; content:!"|0A|"; within:100; isdataat:100,relative; pcre:"/\x2FOvCgi\x2Fovalarm\x2Eexe.+OVABverbose=(1|on|true).+Accept-Language\x3A\x20.{100}/smi";classtype:web-application-attack; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_HP_Openview; sid:2010704; rev:3;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/OvCgi/Toolbar.exe"; nocase; content:"Accept-Language|3A|"; nocase; content:!"|0A|"; within:1350; isdataat:1350; content:"Content-Length|3A|"; nocase; distance:1350; pcre:"/Accept-Language\x3A.{1350}.+Content-Length\x3A/smi"; classtype:web-application-attack; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_HP_Openview; sid:2010864; rev:4;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/OvCgi/OvWebHelp.exe"; nocase; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; classtype:web-application-attack; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/sigs/WEB_SERVER/WEB_HP_Openview; sid:2010970; rev:3;)

#Submitted by mjp
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Alternate Data Stream source view attempt"; flow: to_server,established; uricontent:"|3A 3A|$DATA"; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; classtype: web-application-activity; reference:url,doc.emergingthreats.net/2001365; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_ADS_Source_Code_Exposure; sid:2001365; rev:10;)

#Submitted by Matt Jonkman
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; uricontent:".aspx"; nocase; content:"GET"; nocase; depth: 3; content:"|5C|"; within: 200; content:"aspx"; nocase; within: 100; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001342; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Canonicalization_Bypass; sid:2001342; rev:23;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow: to_server,established; uricontent:".aspx"; nocase; content:"GET"; nocase; depth: 3; content:"%5C"; depth: 200; nocase; content:"aspx"; within:100; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001343; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Canonicalization_Bypass; sid:2001343; rev:21;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; uricontent:".asp|3B 2E|"; nocase; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010592; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; sid:2010592; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; uricontent:".aspx|3B 2E|"; nocase; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_Filename_Bypass; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; sid:2010593; rev:6;)

#Submitted by Matt Jonkman
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET WEB_SERVER THCIISLame IIS SSL Exploit Attempt"; flow: to_server,established; content:"THCOWNZIIS!"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2000559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_IIS_THCOWNZIIS_443; sid:2000559; rev:14;)

#by mex
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"POST"; depth:4; uricontent:"/jmx-console/HtmlAdaptor"; nocase; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; classtype:web-application-attack; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss; sid:2010379; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; content:"GET"; depth:4; uricontent:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; uricontent:"DeploymentScanner"; nocase; uricontent:"methodName=addURL"; nocase; uricontent:"=http"; nocase; classtype:web-application-attack; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Jboss; sid:2010380; rev:4;)

#by Kevin Ross
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; classtype:attempted-recon; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Juniper; sid:2010162; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; content:"POST "; flow:established,to_server; depth:5; nocase; uricontent:"/gsb/datetime.php"; nocase; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; classtype:web-application-attack; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_LANDesk; sid:2010863; rev:3;)

#by David Maciejak
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; uricontent:"/index.php?"; nocase; uricontent:"date="; pcre:"/date=\d{8}\)\;.+/Ui"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002777; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Light_Weight_Calendar; sid:2002777; rev:5;)
#Submitted by bdoctor
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; classtype: web-application-activity; reference:url,doc.emergingthreats.net/2001768; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL; sid:2001768; rev:9;)

#by Jaime Blasco
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_start_job attempt"; flow:to_server,established; content:"sp_start_job"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2010004; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL; sid:2010004; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2000105; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL; sid:2000105; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2000106; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL; sid:2000106; rev:4;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_cmdshell"; nocase; classtype:web-application-attack; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009815; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_servicecontrol"; nocase; pcre:"/(start|stop|continue|pause|querystate)/Ui"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009816; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009816; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"sp_adduser"; nocase; classtype:web-application-attack; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; reference:url,doc.emergingthreats.net/2009817; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009817; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_reg"; nocase; pcre:"/xp_reg(read|write|delete)/Ui"; classtype:web-application-attack; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009818; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009818; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_fileexist"; nocase; classtype:web-application-attack; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009819; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009819; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_enumerrorlogs"; nocase; classtype:web-application-attack; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009820; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_readerrorlogs"; nocase; classtype:web-application-attack; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; reference:url,doc.emergingthreats.net/2009822; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009822; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; uricontent:"EXEC"; nocase; uricontent:"xp_"; nocase; uricontent:"_enum"; nocase; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/Ui"; classtype:web-application-attack; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; reference:url,doc.emergingthreats.net/2009823; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_MSSQL_Stored; sid:2009823; rev:4;)


#by shirkdog
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Morfeus"; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2003466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan; sid:2003466; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| M Fucking Scanner"; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2003466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Morfeus_Scan; sid:2009799; rev:4;)


#by Wolvee
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/statuswml.cgi?"; nocase; uricontent:"ping"; nocase; pcre:"/ping\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ui";classtype:web-application-attack; reference:bugtraq,35464; reference:url,doc.emergingthreats.net/2009670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Nagios; sid:2009670; rev:7;)
#by Blake Hartstein at Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; nocase; pcre:"/^Accept-Language\:[^\n]*?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; classtype:attempted-user; reference:url,doc.emergingthreats.net/2002865; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Novell; sid:2002865; rev:5;)



#by Michael Scheidell
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER osCommerce vulnerable web application extras update.php exists"; flow:to_server,established; content:"Select an SQL file to install";reference:url,retrogod.altervista.org/oscommerce_22_adv.html; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2002863; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_OSCommerce; sid:2002863; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; uricontent:"extras/update.php"; nocase; reference:url,retrogod.altervista.org/oscommerce_22_adv.html;classtype:attempted-recon; reference:url,doc.emergingthreats.net/2002864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_OSCommerce; sid:2002864; rev:5;)

# Submitted by Mark Tombaugh, 2005/07/20
# Note: Oracle Reports can run on any TCP port. Please configure HTTP_PORTS appropriately.
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"CUSTOMIZE=/"; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; classtype:web-application-activity; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Oracle; sid:2002131; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"destype=file"; nocase; uricontent:"desformat="; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; classtype:web-application-activity; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; reference:url,doc.emergingthreats.net/2002132; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Oracle; sid:2002132; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"report="; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; classtype:web-application-activity; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Oracle; sid:2002133; rev:9;)

#by Wolvee
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Oracle; sid:2009643; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; classtype:web-application-attack; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Oracle; sid:2009644; rev:5;)

#by mex
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)"; flow:to_server,established; uricontent:"?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"; classtype:attempted-recon; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011141; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_PHP_EasterEggs; sid:2011141; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; uricontent:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; classtype:attempted-recon; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011142; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_PHP_EasterEggs; sid:2011142; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; uricontent:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; classtype:attempted-recon; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011143; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_PHP_EasterEggs; sid:2011143; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; uricontent:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; classtype:attempted-recon; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011144; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_PHP_EasterEggs; sid:2011144; rev:2;)


#From Erik Fichtner
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (name=)"; flow:to_server,established; content:"GET "; nocase; depth:4; uricontent:".php?"; nocase; uricontent:"name="; nocase; pcre:"/name=(https?|ftps?|php)/Ui"; reference:cve,2002-0953; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2001621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_PHP_Injection; sid:2001621; rev:33;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; content:"GET "; nocase; depth:4; uricontent:".php?"; nocase; uricontent:"cmd="; nocase; pcre:"/cmd=.*(cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp)/Ui"; reference:cve,2002-0953; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010920; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_PHP_Injection; sid:2010920; rev:2;)


#From Joe Stewart, LURHQ
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP remote file include exploit attempt"; flow: to_server,established; content:"GET "; nocase; depth:4; uricontent:".php?"; nocase; uricontent:"cmd="; nocase; pcre:"/=(https?|ftps?|php)\:\/.{0,100}cmd=/Ui"; classtype: attempted-admin; reference:url,doc.emergingthreats.net/2001810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_PHP_Injection; sid:2001810; rev:27;)

#by evilghost
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; content:"POST ";nocase; depth:5; content:"<?php"; nocase; content:"?>"; classtype:web-application-attack; reference:url,isc.sans.edu/diary.html?storyid=9478; sid:2011415; rev:1;)


#from Michael Scheidell
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PacketShaper DoS attempt"; flow:to_server,established; uricontent:"/rpttop.htm"; pcre:"/MEAS\.TYPE=(?!(link|class)&)/U"; classtype:denial-of-service; reference:url,doc.emergingthreats.net/2004449; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Packeteer; sid:2004449; rev:5;)

#by pedro marinho
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET WEB_SERVER Phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Phoenix; sid:2011280; rev:2;)

#by David Wharton
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)"; flow:to_server,established; uricontent:".php"; nocase; uricontent:"=http\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009151; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RFI_Generic; classtype:web-application-attack; sid:2009151; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)"; flow:to_server,established; uricontent:".php"; nocase; uricontent:"=https\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009152; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RFI_Generic; classtype:web-application-attack; sid:2009152; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP)"; flow:to_server,established; uricontent:".php"; nocase; uricontent:"=ftp\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RFI_Generic; classtype:web-application-attack; sid:2009153; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS)"; flow:to_server,established; uricontent:".php"; nocase; uricontent:"=ftps\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009155; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RFI_Generic; classtype:web-application-attack; sid:2009155; rev:7;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Remote File Inclusion (monster list http)"; flow:established,to_server; uricontent:".php"; nocase; uricontent:"http"; nocase; pcre:"/(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002997; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RFI_Generic; sid:2002997; rev:7;)

#matt Jonkman
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; uricontent:"?Redirect?"; nocase; pcre:"/url=.{8000}/iU"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2002660; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_RSA; reference:url,doc.emergingthreats.net/2002660; sid:2002660; rev:9;)
#by Jared Braverman
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Attack Tool Revolt Scanner"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| revolt"; reference:url,www.Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Revolt_Scanner; sid:2009288; rev:55;)


#by Reg Quinton at UW. These are intended to be an overall catch for suspected sql injection
# in web urls. There are more specific sigs for many of these, but these will catch all
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM"; flow:established,to_server; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006443; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO"; flow:established,to_server; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006444; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006445; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006446; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET"; flow:established,to_server; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/[&\?].*UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2006447; rev:10;)

#by Adam Pointon from SentinelSecurity.com.au
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; uricontent:"varchar("; nocase; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2008175; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2008175; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (exec)"; flow:established,to_server; uricontent:"exec("; nocase; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2008176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2008176; rev:5;)

#danmec using url's like these
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to_server; uricontent:"DECLARE"; nocase; uricontent:"CHAR("; nocase; uricontent:"CAST("; nocase; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2008467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2008467; rev:5;)

# By Frank Knobbe
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)"; flow:to_server,established; content:"|0d 0a|User-Agent\: NV32ts|0d 0a|"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009029; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2009029; rev:4;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt"; flow:established,to_server; uricontent:"INTO"; nocase; uricontent:"OUTFILE"; nocase; pcre:"/INTO.+OUTFILE/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010037; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; uricontent:"ALTER"; nocase; pcre:"/ALTER\ +(database|procedure|table|column)/Ui"; classtype:web-application-attack; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; reference:url,doc.emergingthreats.net/2010084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010084; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; uricontent:"DROP"; nocase; pcre:"/DROP\ +(database|procedure|table|column)/Ui"; classtype:web-application-attack; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; reference:url,doc.emergingthreats.net/2010085; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010085; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; uricontent:"CREATE"; nocase; pcre:"/CREATE\ +(database|procedure|table|column|directory)/Ui"; classtype:web-application-attack; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; reference:url,doc.emergingthreats.net/2010086; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010086; rev:4;)



#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in URI, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"INSTR"; nocase; pcre:"/SELECT.+INSTR/Ui"; classtype:web-application-attack; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010284; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI, Possible Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"SUBSTR"; nocase; pcre:"/SELECT.+SUBSTR/Ui"; classtype:web-application-attack; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010285; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"INSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+INSTR/i"; classtype:web-application-attack; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010286; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"SUBSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+SUBSTR/i"; classtype:web-application-attack; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010287; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010287; rev:2;)
# To detect things like SELECT SYSTEM USER, SELECT SESSION USER etc
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT USER SQL Injection Attempt in URI"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"USER"; nocase; pcre:"/SELECT.+USER/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2010963; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010963; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; uricontent:"SHOW"; nocase; uricontent:"CHARACTER"; nocase; content:"SET"; nocase; pcre:"/SHOW.+CHARACTER.+SET/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; reference:url,doc.emergingthreats.net/2010964; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010964; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; uricontent:"SHOW"; nocase; uricontent:"VARIABLES"; nocase; pcre:"/SHOW.+VARIABLES/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010965; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; uricontent:"SHOW"; nocase; uricontent:"CUR"; nocase; pcre:"/SHOW.+CUR(DATE|TIME)/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; reference:url,doc.emergingthreats.net/2010966; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010966; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; uricontent:"SHOW"; nocase; uricontent:"TABLES"; nocase; pcre:"/SHOW.+TABLES/Ui"; classtype:web-application-attack; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; reference:url,doc.emergingthreats.net/2010967; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2010967; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; uricontent:"BULK"; nocase; uricontent:"INSERT"; nocase; pcre:"/BULK.+INSERT/Ui"; classtype:web-application-attack; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011035; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"VERSION"; nocase; pcre:"/SELECT.+VERSION/Ui"; classtype:web-application-attack; reference:url,msupport.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011037; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; uricontent:"INSERT"; nocase; uricontent:"VALUES"; nocase; pcre:"/INSERT.+VALUES/Ui"; classtype:web-application-attack; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); reference:url,doc.emergingthreats.net/2011039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011039; rev:2;)

# MYSQL Specific
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection"; flow:established,to_server; uricontent:"/*"; uricontent:"*/"; pcre:"/\x2F\x2A.+\x2A\x2F/U"; classtype:web-application-attack; reference:url,dev.mysql.com/doc/refman/5.0/en/comments.html; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2011040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011040; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; uricontent:"BENCHMARK("; nocase; uricontent:")"; pcre:"/BENCHMARK\x28[0-9].+\x29/Ui"; classtype:web-application-attack; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; reference:url,doc.emergingthreats.net/2011041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011041; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; uricontent:"SELECT"; nocase; uricontent:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/Ui"; classtype:web-application-attack; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011042; rev:2;)

#by evilghost
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function"; flow:established,to_server; uricontent:"REVERSE"; nocase; pcre:"/[^\w]REVERSE[^\w]?\(/Ui"; classtype:web-application-attack; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; reference:url,doc.emergingthreats.net/2011122; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; sid:2011122; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Using MSSQL sp_configure Command"; flow:established,to_server; uricontent:"sp_configure"; nocase; classtype:web-application-attack; reference:url,technet.microsoft.com/en-us/library/ms188787.aspx; reference:url,technet.microsoft.com/en-us/library/ms190693.aspx; sid:2011424; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Attempt to Create MSSQL SOAP/HTTP Endpoint in URI to Allow for Operating System Interaction"; flow:established,to_server; uricontent:"CREATE"; nocase; uricontent:"ENDPOINT"; nocase; pcre:"/CREATE.+ENDPOINT/Ui"; classtype:web-application-attack; reference:url,msdn.microsoft.com/en-us/library/ms345123.aspx; reference:url,www.studentacad.com/post/2010/04/07/How-to-create-HTTP-Endpoint-in-SQL-Server-2005.aspx; sid:2011425; rev:1;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /etc/shadow Detected in URI"; flow:to_server,established; uricontent:"/etc/shadow"; nocase; classtype:attempted-recon; reference:url,en.wikipedia.org/wiki/Shadow_password; reference:url,doc.emergingthreats.net/2009485; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Shadow; sid:2009485; rev:4;)

#by tinytwitty
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx"; flow:established,to_server; uricontent:"/default.aspx?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2581; reference:url,www.securityfocus.com/bid/23832; reference:url,doc.emergingthreats.net/2003903; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Sharepoint; sid:2003903; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form[mail]"; flow:established,to_server; uricontent:"/contact/contact/index.php?"; nocase; uricontent:"form[mail]="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003904; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Sharepoint; sid:2003904; rev:7;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/_layouts/help.aspx"; nocase; uricontent:"cid0="; nocase; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; reference:url,doc.emergingthreats.net/2011073; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Sharepoint; sid:2011073; rev:4;)

#by a bunch of folks
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/bash,csh,sh,tsh,ksh In URI, Possible Shell Command Execution Attempt Within Web Exploit"; flow:established,to_server; uricontent:"/bin/"; nocase; uricontent:"sh"; content:"/bin/"; nocase; depth:150; content:"sh"; within:4; nocase; pcre:"/\/bin\/[bactkm]{0,2}sh/i"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Shells; sid:2010667; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt"; flow:established,to_server; content:"UNLOCK"; nocase; depth:6; content:"Connection|3A| Close"; nocase; distance:0; content:"Lock-token|3A|"; nocase; within:100; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt; reference:url,doc.emergingthreats.net/2011015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Sun; sid:2011015; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS|20|"; depth:8; nocase; isdataat:400,relative; content:!"|0A|"; within:400; classtype:web-application-attack; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; reference:url,doc.emergingthreats.net/2011016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Sun; sid:2011016; rev:3;)

#bu mex
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER TIEHTTP User-Agent"; flow:to_server,established; content:"|0d 0a|User-Agent\: tiehttp"; nocase; classtype:web-application-activity; reference:url,www.torry.net/authorsmore.php?id=4292; reference:url,doc.emergingthreats.net/2011759; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Tiehttp; sid:2011759; rev:2;)

#by evilghost
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .pl source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".pl~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009949; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .inc source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".inc~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009950; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .conf source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".conf~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009951; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .asp source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".asp~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009952; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009952; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .aspx source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".aspx~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009953; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009953; rev:9;)

#added by mareadmin
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .cgi source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".cgi~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2010820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Tilde_Disclosure; sid:2010820; rev:3;)

#this is disabled because it doesn't work for some reason.
#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; flowbits:isset,et.tilde.sloppyadmin; pcre:"/^HTTP\x2f1\.[01] 200/"; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009954; rev:7;)

#By Blake Hartstein
#Detects uri evasions too
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; uricontent:"|00|"; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2003099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_URI; sid:2003099; rev:6;)

#by Tom Fischer
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebAttacker kit (exploit ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?exploit"; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Webattacker_Kit; sid:2002870; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebAttacker kit (bug ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?bug="; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002871; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Webattacker_Kit; sid:2002871; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebAttacker kit (exploit1 ie0601)"; flow:established,to_server; uricontent:"ie0601.cgi?exploit"; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002869; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Webattacker_Kit; sid:2002869; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebAttacker kit (ie0606)"; flow:established,to_server; uricontent:"ie0606.cgi?"; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002937; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Webattacker_Kit; sid:2002937; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebAttacker RootLauncher"; flow:established,to_server; uricontent:"rleadmin.cgi?getexe="; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2003063; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Webattacker_Kit; sid:2003063; rev:6;)

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebDAV search overflow"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; isdataat:1000,relative; content:!"|0a|"; within:1000; reference:cve,2003-0109; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002844; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Webdav; sid:2002844; rev:6;)

#by mike cox
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Scan Precursor"; flow:established,to_server; uricontent:"/thisdoesnotexistahaha.php"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010720; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_nonexist; sid:2010720; rev:2;)


# By Frank Knobbe, 2005-11-02
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET /sumthin HTTP/1."; depth:20; nocase; classtype:attempted-recon; reference:url,www.webmasterworld.com/forum11/2100.htm; reference:url,doc.emergingthreats.net/2002667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_sumthin; sid:2002667; rev:35;)


#by mareadmin
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/w00tw00t.at.ISC.SANS"; nocase; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2010794; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_wootwoot; sid:2010794; rev:3;)