# # $Id: emerging-web_specific_apps.rules $ # Emerging Threats web specific apps rules. # # These rules are for very specific application vulnerabilities. Most have a more general rule in the # ruleset elsewhere. Choose those out of this set you are specifically interested, otherwise this # will be a bit noisy. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/layouts/standard.php?"; nocase; uricontent:"page_include="; nocase; pcre:"/page_include=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,vupen.com/english/advisories/2009/0360; reference:url,milw0rm.com/exploits/8003; reference:url,doc.emergingthreats.net/2009717; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_1024CMS; sid:2009717; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007504; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007505; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007506; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007507; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007508; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007509; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"categoryID_list="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007510; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007510; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"categoryID_list="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007511; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007511; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"categoryID_list="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007512; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"categoryID_list="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007513; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"categoryID_list="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007514; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"categoryID_list="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007515; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007515; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"sale_type="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007516; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"sale_type="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007517; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007517; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"sale_type="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007518; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007518; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"sale_type="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007519; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"sale_type="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007520; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"sale_type="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007521; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007521; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"stock_number="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007522; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"stock_number="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007523; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"stock_number="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007524; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"stock_number="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007525; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"stock_number="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007526; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"stock_number="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007527; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007527; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"manufacturer="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007528; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007528; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"manufacturer="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007529; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"manufacturer="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007530; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007530; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"manufacturer="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007531; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"manufacturer="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007532; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"manufacturer="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007533; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"model="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007534; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"model="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007535; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"model="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007536; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"model="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007537; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"model="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007538; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"model="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007539; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007539; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007540; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007541; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007542; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007543; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007543; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007544; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007544; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vehicleID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007545; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007545; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"year="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007546; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"year="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007547; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"year="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007548; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"year="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007549; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007549; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"year="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007550; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007550; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"year="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007551; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007551; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vin="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007552; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007552; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vin="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007553; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007553; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vin="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007554; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007554; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vin="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007555; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007555; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vin="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007556; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007556; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"vin="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007557; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007557; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"listing_price="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007558; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007558; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UNION SELECT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"listing_price="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007559; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price INSERT"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"listing_price="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007560; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007560; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price DELETE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"listing_price="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007561; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ASCII"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"listing_price="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007562; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE"; flow:established,to_server; uricontent:"/vehiclelistings.asp?"; nocase; uricontent:"listing_price="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_gallery; sid:2007563; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 212cafe Board view.php qID Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view.php?"; nocase; uricontent:"qID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31426; reference:url,xforce.iss.net/xforce/xfdb/45428; reference:url,milw0rm.com/exploits/6578; reference:url,doc.emergingthreats.net/2009734; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_212Board; sid:2009734; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lib/page/pageDescriptionObject.php?"; nocase; uricontent:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011164; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_29o3; sid:2011164; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lib/layout/layoutHeaderFuncs.php?"; nocase; uricontent:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_29o3; sid:2011165; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lib/layout/layoutManager.php?"; nocase; uricontent:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_29o3; sid:2011666; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lib/layout/layoutParser.php?"; nocase; uricontent:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_29o3; sid:2011167; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/2fly_gift.php?"; nocase; uricontent:"gameid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/36294/; reference:url,osvdb.org/show/osvdb/57136; reference:url,doc.emergingthreats.net/2010196; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2Fly; sid:2010196; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating SELECT"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"rating="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004059; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UNION SELECT"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"rating="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004060; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating INSERT"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"rating="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004061; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating DELETE"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"rating="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004062; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004062; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating ASCII"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"rating="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004063; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004063; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"rating="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004064; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id SELECT"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004071; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UNION SELECT"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004072; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004072; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id INSERT"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004073; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004073; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id DELETE"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004074; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id ASCII"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004075; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004075; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE"; flow:established,to_server; uricontent:"/includes/rating.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2z_project; sid:2004076; rev:7;) #by Mike Cox alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET"; http_method; uricontent:"index.php?"; nocase; uricontent:"imgdir="; nocase; content:".."; pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; classtype:web-application-attack; reference:url,www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt; reference:url,doc.emergingthreats.net/2010601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_35mmSlideGallery; sid:2010601; rev:2;) #by mex alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 68KB PHP Knowledge Base Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/themes/admin/default/modules/show.php?file="; classtype:web-application-attack; reference:url,securityreason.com/wlb_show/WLB-2010030122; reference:url,68kb.com/2010/04/03/68kb-v1-0-0-rc4-is-now-released-please-upgrade/; reference:url,www.securityfocus.com/archive/1/512824; reference:url,doc.emergingthreats.net/2011327; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_68kb; sid:2011327; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; uricontent:"/admin/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_8pixel; sid:2007217; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; uricontent:"/admin/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007218; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_8pixel; sid:2007218; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; uricontent:"/admin/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007219; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_8pixel; sid:2007219; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; uricontent:"/admin/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007220; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_8pixel; sid:2007220; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; uricontent:"/admin/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_8pixel; sid:2007221; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; uricontent:"/admin/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_8pixel; sid:2007222; rev:6;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod SELECT"; flow:established,to_server; uricontent:"/templates/modif.html?"; nocase; uricontent:"id_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005057; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACGVannu; sid:2005057; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UNION SELECT"; flow:established,to_server; uricontent:"/templates/modif.html?"; nocase; uricontent:"id_mod="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACGVannu; sid:2005058; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod INSERT"; flow:established,to_server; uricontent:"/templates/modif.html?"; nocase; uricontent:"id_mod="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACGVannu; sid:2005059; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod DELETE"; flow:established,to_server; uricontent:"/templates/modif.html?"; nocase; uricontent:"id_mod="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACGVannu; sid:2005060; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod ASCII"; flow:established,to_server; uricontent:"/templates/modif.html?"; nocase; uricontent:"id_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACGVannu; sid:2005061; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE"; flow:established,to_server; uricontent:"/templates/modif.html?"; nocase; uricontent:"id_mod="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005062; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACGVannu; sid:2005062; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form[mods]"; flow:established,to_server; uricontent:"/search/list/action_search/index.php?"; nocase; uricontent:"form[mods]["; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003905; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form"; flow:established,to_server; uricontent:"/search/list/action_search/index.php?"; nocase; uricontent:"form["; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003906; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id"; flow:established,to_server; uricontent:"/modules/dl/download.php?"; nocase; uricontent:"id="; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003907; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form[cat]"; flow:established,to_server; uricontent:"/news/list/index.php?"; nocase; uricontent:"form[cat]="; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003908; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form[cat]"; flow:established,to_server; uricontent:"/action_create/index.php?"; nocase; uricontent:"form[cat]="; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003909; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form[name]"; flow:established,to_server; uricontent:"/action_create/index.php?"; nocase; uricontent:"form[name]="; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003910; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form[message]"; flow:established,to_server; uricontent:"/action_create/index.php?"; nocase; uricontent:"form[message]="; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003911; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form[mail]"; flow:established,to_server; uricontent:"/newsletter/create/index.php?"; nocase; uricontent:"form[mail]="; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ACP3; sid:2003912; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir"; flow:established,to_server; uricontent:"/common/func.php?"; nocase; uricontent:"CommonAbsDir="; nocase; classtype:web-application-attack; reference:cve,CVE-2007-2596; reference:url,www.milw0rm.com/exploits/3884; reference:url,doc.emergingthreats.net/2003704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AForum; sid:2003704; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header"; flow:established,to_server; uricontent:"/common/errormsg.php?"; nocase; uricontent:"header="; nocase; classtype:web-application-attack; reference:cve,CVE-2007-2634; reference:url,secunia.com/advisories/25224; reference:url,doc.emergingthreats.net/2003736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AForum; sid:2003736; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php"; flow:established,to_server; uricontent:"/shared/code/cp_authorization.php?"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2625; reference:url,www.frsirt.com/english/advisories/2007/1637; reference:url,doc.emergingthreats.net/2003886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2003886; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php"; flow:established,to_server; uricontent:"/shared/config/cp_config.php?"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2624; reference:url,www.securityfocus.com/bid/23790; reference:url,doc.emergingthreats.net/2003887; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2003887; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name SELECT"; flow:established,to_server; uricontent:"/shared/code/cp_authorization.php?"; nocase; uricontent:"xuser_name="; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005573; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005573; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UNION SELECT"; flow:established,to_server; uricontent:"/shared/code/cp_authorization.php?"; nocase; uricontent:"xuser_name="; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005574; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name INSERT"; flow:established,to_server; uricontent:"/shared/code/cp_authorization.php?"; nocase; uricontent:"xuser_name="; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005575; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name DELETE"; flow:established,to_server; uricontent:"/shared/code/cp_authorization.php?"; nocase; uricontent:"xuser_name="; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005576; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ASCII"; flow:established,to_server; uricontent:"/shared/code/cp_authorization.php?"; nocase; uricontent:"xuser_name="; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005577; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE"; flow:established,to_server; uricontent:"/shared/code/cp_authorization.php?"; nocase; uricontent:"xuser_name="; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005578; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did SELECT"; flow:established,to_server; uricontent:"/public/code/cp_downloads.php?"; nocase; uricontent:"did="; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005579; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UNION SELECT"; flow:established,to_server; uricontent:"/public/code/cp_downloads.php?"; nocase; uricontent:"did="; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005580; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did INSERT"; flow:established,to_server; uricontent:"/public/code/cp_downloads.php?"; nocase; uricontent:"did="; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005581; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did DELETE"; flow:established,to_server; uricontent:"/public/code/cp_downloads.php?"; nocase; uricontent:"did="; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005582; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ASCII"; flow:established,to_server; uricontent:"/public/code/cp_downloads.php?"; nocase; uricontent:"did="; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005583; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE"; flow:established,to_server; uricontent:"/public/code/cp_downloads.php?"; nocase; uricontent:"did="; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2005584; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/public/code/cp_html2xhtmlbasic.php?"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; nocase; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AIOCP; sid:2010080; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; uricontent:"/subcat.php?"; nocase; uricontent:"cate_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004529; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; uricontent:"/subcat.php?"; nocase; uricontent:"cate_id="; nocase; uricontent:"UNION"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004530; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; uricontent:"/subcat.php?"; nocase; uricontent:"cate_id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004531; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; uricontent:"/subcat.php?"; nocase; uricontent:"cate_id="; nocase; uricontent:"DELETE"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004532; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; uricontent:"/subcat.php?"; nocase; uricontent:"cate_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004533; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; uricontent:"/subcat.php?"; nocase; uricontent:"cate_id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004534; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; uricontent:"/view_profile.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004535; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; uricontent:"/view_profile.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"UNION"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004536; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; uricontent:"/view_profile.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004537; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; uricontent:"/view_profile.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"DELETE"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004538; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; uricontent:"/view_profile.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004539; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; uricontent:"/view_profile.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004540; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; uricontent:"/postingdetails.php?"; nocase; uricontent:"postingid="; nocase; uricontent:"SELECT"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004541; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UNION SELECT"; flow:established,to_server; uricontent:"/postingdetails.php?"; nocase; uricontent:"postingid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004542; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid INSERT"; flow:established,to_server; uricontent:"/postingdetails.php?"; nocase; uricontent:"postingid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004543; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004543; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid DELETE"; flow:established,to_server; uricontent:"/postingdetails.php?"; nocase; uricontent:"postingid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004544; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004544; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ASCII"; flow:established,to_server; uricontent:"/postingdetails.php?"; nocase; uricontent:"postingid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004545; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004545; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE"; flow:established,to_server; uricontent:"/postingdetails.php?"; nocase; uricontent:"postingid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004546; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id SELECT"; flow:established,to_server; uricontent:"/topic_title.php?"; nocase; uricontent:"td_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004547; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UNION SELECT"; flow:established,to_server; uricontent:"/topic_title.php?"; nocase; uricontent:"td_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2005177; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2005177; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id INSERT"; flow:established,to_server; uricontent:"/topic_title.php?"; nocase; uricontent:"td_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004548; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id DELETE"; flow:established,to_server; uricontent:"/topic_title.php?"; nocase; uricontent:"td_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004549; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004549; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id ASCII"; flow:established,to_server; uricontent:"/topic_title.php?"; nocase; uricontent:"td_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004550; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004550; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE"; flow:established,to_server; uricontent:"/topic_title.php?"; nocase; uricontent:"td_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004551; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AJ; sid:2004551; rev:5;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible APC Switched Rack PDU Web Administration Interface Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"/Forms/login1?login_username="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2009/Dec/1023331.html; reference:url,doc.emergingthreats.net/2010507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_APC; sid:2010507; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/Forms/login"; nocase; uricontent:"login_username="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:cve,2009-1798; reference:url,doc.emergingthreats.net/2010862; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_APC; sid:2010862; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2892; reference:url,www.securityfocus.com/bid/24135; reference:url,doc.emergingthreats.net/2004594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP-Nuke; sid:2004594; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid SELECT"; flow:established,to_server; uricontent:"/forum2.asp?"; nocase; uricontent:"soruid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006819; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006819; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UNION SELECT"; flow:established,to_server; uricontent:"/forum2.asp?"; nocase; uricontent:"soruid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006820; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid INSERT"; flow:established,to_server; uricontent:"/forum2.asp?"; nocase; uricontent:"soruid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006821; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006821; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid DELETE"; flow:established,to_server; uricontent:"/forum2.asp?"; nocase; uricontent:"soruid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006822; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006822; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid ASCII"; flow:established,to_server; uricontent:"/forum2.asp?"; nocase; uricontent:"soruid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006823; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006823; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE"; flow:established,to_server; uricontent:"/forum2.asp?"; nocase; uricontent:"soruid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006824; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006824; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak SELECT"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"ak="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006825; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006825; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UNION SELECT"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"ak="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006826; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006826; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak INSERT"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"ak="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006827; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006827; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak DELETE"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"ak="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006828; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"ak="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006829; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006829; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"ak="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006830; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006830; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler SELECT"; flow:established,to_server; uricontent:"/aramayap.asp?"; nocase; uricontent:"kelimeler="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006831; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UNION SELECT"; flow:established,to_server; uricontent:"/aramayap.asp?"; nocase; uricontent:"kelimeler="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006832; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006832; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler INSERT"; flow:established,to_server; uricontent:"/aramayap.asp?"; nocase; uricontent:"kelimeler="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006833; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006833; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE"; flow:established,to_server; uricontent:"/aramayap.asp?"; nocase; uricontent:"kelimeler="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006834; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006834; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ASCII"; flow:established,to_server; uricontent:"/aramayap.asp?"; nocase; uricontent:"kelimeler="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006835; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006835; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE"; flow:established,to_server; uricontent:"/aramayap.asp?"; nocase; uricontent:"kelimeler="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006836; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006836; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi SELECT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullaniciadi="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006837; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006837; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UNION SELECT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullaniciadi="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006838; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006838; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi INSERT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullaniciadi="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006839; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006839; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi DELETE"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullaniciadi="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006840; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006840; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ASCII"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullaniciadi="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006841; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006841; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullaniciadi="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006842; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006842; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno SELECT"; flow:established,to_server; uricontent:"/mesajkutum.asp?"; nocase; uricontent:"mesajno="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006843; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UNION SELECT"; flow:established,to_server; uricontent:"/mesajkutum.asp?"; nocase; uricontent:"mesajno="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006844; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006844; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno INSERT"; flow:established,to_server; uricontent:"/mesajkutum.asp?"; nocase; uricontent:"mesajno="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006845; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006845; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE"; flow:established,to_server; uricontent:"/mesajkutum.asp?"; nocase; uricontent:"mesajno="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006846; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006846; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ASCII"; flow:established,to_server; uricontent:"/mesajkutum.asp?"; nocase; uricontent:"mesajno="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006847; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006847; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE"; flow:established,to_server; uricontent:"/mesajkutum.asp?"; nocase; uricontent:"mesajno="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006848; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006848; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf SELECT"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"harf="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006849; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006849; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UNION SELECT"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"harf="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006850; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006850; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf INSERT"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"harf="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006851; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006851; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf DELETE"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"harf="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006852; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006852; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ASCII"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"harf="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006853; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006853; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE"; flow:established,to_server; uricontent:"/kullanicilistesi.asp?"; nocase; uricontent:"harf="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006854; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006854; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik SELECT"; flow:established,to_server; uricontent:"/forum.asp?"; nocase; uricontent:"baslik="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006855; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006855; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UNION SELECT"; flow:established,to_server; uricontent:"/forum.asp?"; nocase; uricontent:"baslik="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006856; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik INSERT"; flow:established,to_server; uricontent:"/forum.asp?"; nocase; uricontent:"baslik="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006857; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006857; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik DELETE"; flow:established,to_server; uricontent:"/forum.asp?"; nocase; uricontent:"baslik="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006858; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik ASCII"; flow:established,to_server; uricontent:"/forum.asp?"; nocase; uricontent:"baslik="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006859; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006859; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE"; flow:established,to_server; uricontent:"/forum.asp?"; nocase; uricontent:"baslik="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASPMForum; sid:2006860; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username SELECT"; flow:established,to_server; uricontent:"/artreplydelete.asp?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005105; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_EDGE; sid:2005105; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UNION SELECT"; flow:established,to_server; uricontent:"/artreplydelete.asp?"; nocase; uricontent:"username="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005106; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_EDGE; sid:2005106; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username INSERT"; flow:established,to_server; uricontent:"/artreplydelete.asp?"; nocase; uricontent:"username="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005107; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_EDGE; sid:2005107; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username DELETE"; flow:established,to_server; uricontent:"/artreplydelete.asp?"; nocase; uricontent:"username="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005108; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_EDGE; sid:2005108; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ASCII"; flow:established,to_server; uricontent:"/artreplydelete.asp?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005109; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_EDGE; sid:2005109; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE"; flow:established,to_server; uricontent:"/artreplydelete.asp?"; nocase; uricontent:"username="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005110; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_EDGE; sid:2005110; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id SELECT"; flow:established,to_server; uricontent:"/news_detail.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005164; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005164; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UNION SELECT"; flow:established,to_server; uricontent:"/news_detail.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005165; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id INSERT"; flow:established,to_server; uricontent:"/news_detail.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005166; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005166; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id DELETE"; flow:established,to_server; uricontent:"/news_detail.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005167; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id ASCII"; flow:established,to_server; uricontent:"/news_detail.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005168; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005168; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE"; flow:established,to_server; uricontent:"/news_detail.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005169; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005169; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user SELECT"; flow:established,to_server; uricontent:"/user.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005170; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UNION SELECT"; flow:established,to_server; uricontent:"/user.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005171; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005171; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user INSERT"; flow:established,to_server; uricontent:"/user.asp?"; nocase; uricontent:"user="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005172; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005172; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user DELETE"; flow:established,to_server; uricontent:"/user.asp?"; nocase; uricontent:"user="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005173; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user ASCII"; flow:established,to_server; uricontent:"/user.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005174; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE"; flow:established,to_server; uricontent:"/user.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005175; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_NEWS; sid:2005175; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro SELECT"; flow:established,to_server; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005883; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_Siteware; sid:2005883; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UNION SELECT"; flow:established,to_server; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005884; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_Siteware; sid:2005884; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro INSERT"; flow:established,to_server; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005885; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_Siteware; sid:2005885; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro DELETE"; flow:established,to_server; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_Siteware; sid:2005886; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ASCII"; flow:established,to_server; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005887; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_Siteware; sid:2005887; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE"; flow:established,to_server; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005888; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_Siteware; sid:2005888; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID SELECT"; flow:established,to_server; uricontent:"/listpics.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_listpics; sid:2007000; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/listpics.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007001; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_listpics; sid:2007001; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID INSERT"; flow:established,to_server; uricontent:"/listpics.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007002; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_listpics; sid:2007002; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID DELETE"; flow:established,to_server; uricontent:"/listpics.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007003; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_listpics; sid:2007003; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID ASCII"; flow:established,to_server; uricontent:"/listpics.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007004; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_listpics; sid:2007004; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE"; flow:established,to_server; uricontent:"/listpics.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ASP_listpics; sid:2007005; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH Software ActiveX Snapshot Method Buffr Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH Software ActiveX _DownloadPBOpen Metod Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; classtype:attempted-user; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AVTECH; sid:2011206; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/view.asp?"; nocase; uricontent:"entry="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33693; reference:url,milw0rm.com/exploits/8012; reference:url,doc.emergingthreats.net/2009185; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_A_Better_Gallery; sid:2009185; rev:3;) #by Ferdie Riphagen alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG[PATH] Remote File Include Attempt"; flow:established,to_server; uricontent:"CONFIG[PATH]="; nocase; pcre:"/(join|lostpw)\.php\?/Ui"; pcre:"/&CONFIG\x5bpath\x5d=(https?|ftps?|php)\:/Ui"; reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aardvark; sid:2002901; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid SELECT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"categoryid="; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Absolute_Image_Gallery; sid:2004319; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UNION SELECT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"categoryid="; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Absolute_Image_Gallery; sid:2004320; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid INSERT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"categoryid="; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004321; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Absolute_Image_Gallery; sid:2004321; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid DELETE"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"categoryid="; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Absolute_Image_Gallery; sid:2004322; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ASCII"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"categoryid="; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004323; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Absolute_Image_Gallery; sid:2004323; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"categoryid="; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004324; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Absolute_Image_Gallery; sid:2004324; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid SELECT"; flow:established,to_server; uricontent:"/product.asp?"; nocase; uricontent:"productid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007392; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007392; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UNION SELECT"; flow:established,to_server; uricontent:"/product.asp?"; nocase; uricontent:"productid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007393; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007393; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid INSERT"; flow:established,to_server; uricontent:"/product.asp?"; nocase; uricontent:"productid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007394; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007394; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid DELETE"; flow:established,to_server; uricontent:"/product.asp?"; nocase; uricontent:"productid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007395; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007395; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ASCII"; flow:established,to_server; uricontent:"/product.asp?"; nocase; uricontent:"productid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007396; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007396; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE"; flow:established,to_server; uricontent:"/product.asp?"; nocase; uricontent:"productid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007397; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007397; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"search="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007398; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007398; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"search="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007399; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"search="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007400; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"search="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007401; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007401; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"search="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007402; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"search="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acart; sid:2007403; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt"; flow:established,to_server; uricontent:"/dispatch.php?atknodetype=reports.weekreport"; nocase; uricontent:"userid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010131; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo; sid:2010131; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt"; flow:established,to_server; uricontent:"/dispatch.php?atknodetype=reports.weekreport"; nocase; uricontent:"userid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010132; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo; sid:2010132; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt"; flow:established,to_server; uricontent:"/dispatch.php?atknodetype=reports.weekreport"; nocase; uricontent:"userid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010133; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo; sid:2010133; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt"; flow:established,to_server; uricontent:"/dispatch.php?atknodetype=reports.weekreport"; nocase; uricontent:"userid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010134; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo; sid:2010134; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt"; flow:established,to_server; uricontent:"/dispatch.php?atknodetype=reports.weekreport"; nocase; uricontent:"userid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010135; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo; sid:2010135; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/debugger.php?"; nocase; uricontent:"config_atkroot="; nocase; pcre:"/config_atkroot\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,36822; reference:url,doc.emergingthreats.net/2010354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Achievo; sid:2010354; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID SELECT"; flow:established,to_server; uricontent:"/activenews_view.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007476; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007476; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UNION SELECT"; flow:established,to_server; uricontent:"/activenews_view.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007477; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007477; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID INSERT"; flow:established,to_server; uricontent:"/activenews_view.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007478; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007478; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID DELETE"; flow:established,to_server; uricontent:"/activenews_view.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007479; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007479; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ASCII"; flow:established,to_server; uricontent:"/activenews_view.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007480; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE"; flow:established,to_server; uricontent:"/activenews_view.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007481; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007481; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"page="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007482; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007482; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"page="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007483; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"page="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007564; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"page="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007484; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007484; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"page="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007485; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007485; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"page="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007486; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID SELECT"; flow:established,to_server; uricontent:"/activeNews_categories.asp?"; nocase; uricontent:"catID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007487; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007487; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UNION SELECT"; flow:established,to_server; uricontent:"/activeNews_categories.asp?"; nocase; uricontent:"catID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007488; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID INSERT"; flow:established,to_server; uricontent:"/activeNews_categories.asp?"; nocase; uricontent:"catID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007489; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID DELETE"; flow:established,to_server; uricontent:"/activeNews_categories.asp?"; nocase; uricontent:"catID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007490; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII"; flow:established,to_server; uricontent:"/activeNews_categories.asp?"; nocase; uricontent:"catID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007491; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE"; flow:established,to_server; uricontent:"/activeNews_categories.asp?"; nocase; uricontent:"catID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007492; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID SELECT"; flow:established,to_server; uricontent:"/activeNews_comments.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007493; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007493; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UNION SELECT"; flow:established,to_server; uricontent:"/activeNews_comments.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007494; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007494; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID INSERT"; flow:established,to_server; uricontent:"/activeNews_comments.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007495; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID DELETE"; flow:established,to_server; uricontent:"/activeNews_comments.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007496; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ASCII"; flow:established,to_server; uricontent:"/activeNews_comments.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007497; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE"; flow:established,to_server; uricontent:"/activeNews_comments.asp?"; nocase; uricontent:"articleID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007498; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007498; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query SELECT"; flow:established,to_server; uricontent:"/activenews_search.asp?"; nocase; uricontent:"query="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007499; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UNION SELECT"; flow:established,to_server; uricontent:"/activenews_search.asp?"; nocase; uricontent:"query="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007500; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query INSERT"; flow:established,to_server; uricontent:"/activenews_search.asp?"; nocase; uricontent:"query="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007501; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query DELETE"; flow:established,to_server; uricontent:"/activenews_search.asp?"; nocase; uricontent:"query="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007502; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ASCII"; flow:established,to_server; uricontent:"/activenews_search.asp?"; nocase; uricontent:"query="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007503; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE"; flow:established,to_server; uricontent:"/activenews_search.asp?"; nocase; uricontent:"query="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ActiveNews; sid:2007565; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/container.php?"; nocase; uricontent:"theme_directory="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acute; sid:2009377; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/container.php?"; nocase; uricontent:"theme_directory="; nocase; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009378; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acute; sid:2009378; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/header.php?"; nocase; uricontent:"theme_directory="; nocase; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acute; sid:2009379; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/header.php?"; nocase; uricontent:"theme_directory="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Acute; sid:2009380; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/latestposts.php?"; nocase; uricontent:"forumspath="; nocase; pcre:"/forumspath=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009903; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AdaptBB; sid:2009903; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/latestposts.php?"; nocase; uricontent:"forumspath="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009904; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AdaptBB; sid:2009904; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rss_importer_functions.php?"; nocase; uricontent:"sitepath="; nocase; pcre:"/sitepath=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8016; reference:bugtraq,33698; reference:url,doc.emergingthreats.net/2009167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AdaptCMS; sid:2009167; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptWeb a_index.php CodigoDisciplina Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/a_index.php?"; nocase; uricontent:"CodigoDisciplina="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2009-2152; reference:url,en.securitylab.ru/nvd/381723.php; reference:url,milw0rm.com/exploits/8954; reference:url,doc.emergingthreats.net/2010022; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AdaptWeb; sid:2010022; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/logging/logviewer.jsp?"; nocase; uricontent:"logfile="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,www.dsecrg.ru/pages/vul/show.php?id=152; reference:url,www.vupen.com/english/advisories/2009/2285; reference:url,doc.emergingthreats.net/2010194; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2010194; rev:2;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/Flex/index.template.html"; nocase; pcre:"/index.template.html.+(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:web-application-attack; reference:cve,2009-1879; reference:url,securitytracker.com/alerts/2009/Aug/1022748.html; reference:url,doc.emergingthreats.net/2010214; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2010214; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; classtype:attempted-user; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2010705; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; classtype:attempted-user; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2010726; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whstart.js"; flow:established,to_server; uricontent:"/whstart.js?"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2003897; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whcsh_home.htm"; flow:established,to_server; uricontent:"/whcsh_home.htm?"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003898; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2003898; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startpage.js"; flow:established,to_server; uricontent:"/wf_startpage.js?"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003899; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2003899; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startqs.htm"; flow:established,to_server; uricontent:"/wf_startqs.htm?"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2003900; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt WindowManager.dll"; flow:established,to_server; uricontent:"/WindowManager.dll?"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Adobe; sid:2003901; rev:7;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture"; flow:established,to_server; uricontent:"/picture.php?"; nocase; uricontent:"picture="; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0605; reference:url,www.securityfocus.com/bid/23873; reference:url,doc.emergingthreats.net/2003915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Advanced_Guestbook; sid:2003915; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin/frontpage_right.php?"; nocase; uricontent:"loadadminpage="; nocase; pcre:"/loadadminpage=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,31959; reference:url,milw0rm.com/exploits/6859; reference:url,vupen.com/english/advisories/2008/2959; reference:url,doc.emergingthreats.net/2009382; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Agares; sid:2009382; rev:3;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aj Square RSS Reader url SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/EditUrl.php?"; nocase; uricontent:"url="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32413/; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AjSquared; sid:2008785; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AjaxPortal ajaxp_backend.php page Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ajaxp_backend.php?"; nocase; uricontent:"page="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8341; reference:bugtraq,34338; reference:url,doc.emergingthreats.net/2009424; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AjaxPortal; sid:2009424; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/install/di.php?"; nocase; uricontent:"pathtoserverdata="; nocase; pcre:"/pathtoserverdata\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/55485; reference:url,doc.emergingthreats.net/2010362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AjaxPortal; sid:2010362; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id SELECT"; flow:established,to_server; uricontent:"/HaberDetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004887; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004887; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UNION SELECT"; flow:established,to_server; uricontent:"/HaberDetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004888; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004888; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id INSERT"; flow:established,to_server; uricontent:"/HaberDetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004889; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004889; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id DELETE"; flow:established,to_server; uricontent:"/HaberDetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004890; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004890; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ASCII"; flow:established,to_server; uricontent:"/HaberDetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004891; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004891; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE"; flow:established,to_server; uricontent:"/HaberDetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004892; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid SELECT"; flow:established,to_server; uricontent:"/rss.asp?"; nocase; uricontent:"kid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004893; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004893; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT"; flow:established,to_server; uricontent:"/rss.asp?"; nocase; uricontent:"kid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004894; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid INSERT"; flow:established,to_server; uricontent:"/rss.asp?"; nocase; uricontent:"kid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004895; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid DELETE"; flow:established,to_server; uricontent:"/rss.asp?"; nocase; uricontent:"kid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004896; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004896; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ASCII"; flow:established,to_server; uricontent:"/rss.asp?"; nocase; uricontent:"kid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004897; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE"; flow:established,to_server; uricontent:"/rss.asp?"; nocase; uricontent:"kid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004898; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aktueldownload_Haber_script; sid:2004898; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"lang="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005772; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alex_Guestbook; sid:2005772; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005773; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alex_Guestbook; sid:2005773; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"lang="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005774; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alex_Guestbook; sid:2005774; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"lang="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005775; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alex_Guestbook; sid:2005775; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"lang="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005776; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alex_Guestbook; sid:2005776; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005777; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alex_Guestbook; sid:2005777; rev:5;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel poll_id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cp_polls_results.php?"; nocase; uricontent:"poll_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6854; reference:url,secunia.com/advisories/32431; reference:url,doc.emergingthreats.net/2008787; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AllInOneControlPanel; sid:2008787; rev:3;) #bvy tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pack="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2004017; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pack="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004018; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2004018; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pack="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004019; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2004019; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pack="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004020; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2004020; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pack="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004021; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2004021; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pack="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004022; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2004022; rev:5;) #by chandan of secpod alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Affiliate Network Pro (pgm) Parameter SQL Injection"; flow:to_server,established; uricontent:"/index.php?"; nocase; uricontent:"Act="; nocase; uricontent:"&pgm"; nocase; pcre:"/\+UNION\+SELECT/Ui"; reference:bugtraq,30259; reference:url,milw0rm.com/exploits/6087; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008439; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2008439; rev:3;) #stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/album.php?"; nocase; uricontent:"UID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-3386; reference:url,www.milw0rm.com/exploits/6092; reference:url,secunia.com/advisories/31134/; reference:url,doc.emergingthreats.net/2009228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Alstrasoft; sid:2009228; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; uricontent:"/section/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004717; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Angel_Learning_Mgmt; sid:2004717; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; uricontent:"/section/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004718; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Angel_Learning_Mgmt; sid:2004718; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; uricontent:"/section/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004719; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Angel_Learning_Mgmt; sid:2004719; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; uricontent:"/section/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004720; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Angel_Learning_Mgmt; sid:2004720; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; uricontent:"/section/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004721; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Angel_Learning_Mgmt; sid:2004721; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/section/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004723; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Angel_Learning_Mgmt; sid:2004723; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; uricontent:"/email.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006560; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006560; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; uricontent:"/email.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006561; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; uricontent:"/email.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006562; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; uricontent:"/email.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006564; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; uricontent:"/email.php?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006565; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; uricontent:"/email.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006566; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no SELECT"; flow:established,to_server; uricontent:"/voirannonce.php?"; nocase; uricontent:"no="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006567; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UNION SELECT"; flow:established,to_server; uricontent:"/voirannonce.php?"; nocase; uricontent:"no="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006568; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no INSERT"; flow:established,to_server; uricontent:"/voirannonce.php?"; nocase; uricontent:"no="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006569; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no DELETE"; flow:established,to_server; uricontent:"/voirannonce.php?"; nocase; uricontent:"no="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006570; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ASCII"; flow:established,to_server; uricontent:"/voirannonce.php?"; nocase; uricontent:"no="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006571; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE"; flow:established,to_server; uricontent:"/voirannonce.php?"; nocase; uricontent:"no="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006572; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre SELECT"; flow:established,to_server; uricontent:"/admin/admin_membre/fiche_membre.php?"; nocase; uricontent:"idmembre="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006573; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006573; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UNION SELECT"; flow:established,to_server; uricontent:"/admin/admin_membre/fiche_membre.php?"; nocase; uricontent:"idmembre="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006574; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre INSERT"; flow:established,to_server; uricontent:"/admin/admin_membre/fiche_membre.php?"; nocase; uricontent:"idmembre="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006575; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre DELETE"; flow:established,to_server; uricontent:"/admin/admin_membre/fiche_membre.php?"; nocase; uricontent:"idmembre="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006576; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ASCII"; flow:established,to_server; uricontent:"/admin/admin_membre/fiche_membre.php?"; nocase; uricontent:"idmembre="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006577; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE"; flow:established,to_server; uricontent:"/admin/admin_membre/fiche_membre.php?"; nocase; uricontent:"idmembre="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006578; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce SELECT"; flow:established,to_server; uricontent:"/admin/admin_annonce/okvalannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006579; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UNION SELECT"; flow:established,to_server; uricontent:"/admin/admin_annonce/okvalannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006580; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce INSERT"; flow:established,to_server; uricontent:"/admin/admin_annonce/okvalannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006581; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce DELETE"; flow:established,to_server; uricontent:"/admin/admin_annonce/okvalannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006582; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ASCII"; flow:established,to_server; uricontent:"/admin/admin_annonce/okvalannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006583; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE"; flow:established,to_server; uricontent:"/admin/admin_annonce/okvalannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006584; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce SELECT"; flow:established,to_server; uricontent:"/admin/admin_annonce/changeannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006585; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UNION SELECT"; flow:established,to_server; uricontent:"/admin/admin_annonce/changeannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006586; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce INSERT"; flow:established,to_server; uricontent:"/admin/admin_annonce/changeannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006587; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce DELETE"; flow:established,to_server; uricontent:"/admin/admin_annonce/changeannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006588; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ASCII"; flow:established,to_server; uricontent:"/admin/admin_annonce/changeannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006589; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE"; flow:established,to_server; uricontent:"/admin/admin_annonce/changeannonce.php?"; nocase; uricontent:"idannonce="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AnnounceScriptHP; sid:2006590; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/host-manager/html/add"; nocase; uricontent:"method="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/29502/info; reference:cve,2008-1947; reference:url,doc.emergingthreats.net/2010146; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Apache_Tomcatmgr; sid:2010146; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/Aris/wflogin.jsp?"; nocase; uricontent:"errmsg="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:bugtraq,38441; reference:url,secunia.com/advisories/38793; reference:url,doc.emergingthreats.net/2011114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Arrisg; sid:2011114; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; classtype:web-application-attack; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Ask.com; sid:2010921; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPApps.com Template Creature media_level.asp mcatid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/media_level.asp?"; nocase; uricontent:"mcatid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7339; reference:bugtraq,32641; reference:url,doc.emergingthreats.net/2008936; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AspApps; sid:2008936; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici SELECT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullanici="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006783; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UNION SELECT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullanici="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006784; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici INSERT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullanici="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006785; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici DELETE"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullanici="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006786; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006786; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ASCII"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullanici="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006787; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006787; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"kullanici="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006788; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006788; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola SELECT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"parola="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006789; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006789; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UNION SELECT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"parola="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006790; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006790; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola INSERT"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"parola="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006791; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola DELETE"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"parola="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006792; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006792; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ASCII"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"parola="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006793; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006793; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE"; flow:established,to_server; uricontent:"/giris.asp?"; nocase; uricontent:"parola="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006794; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Aspee; sid:2006794; rev:4;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AstroSPACES profile.php SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/profile.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31771; reference:url,www.milw0rm.com/exploits/6758; reference:url,doc.emergingthreats.net/2008669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AstroSPACES; sid:2008669; rev:4;) #By David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/athenareg.php?pass=%20\;"; nocase; reference:cve,CAN-2004-1782; reference:bugtraq,9349; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001949; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Athena; sid:2001949; rev:7;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID SELECT"; flow:established,to_server; uricontent:"/system/index.php?"; nocase; uricontent:"PHPSESSID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004724; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Audins; sid:2004724; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UNION SELECT"; flow:established,to_server; uricontent:"/system/index.php?"; nocase; uricontent:"PHPSESSID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004725; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Audins; sid:2004725; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID INSERT"; flow:established,to_server; uricontent:"/system/index.php?"; nocase; uricontent:"PHPSESSID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Audins; sid:2004726; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID DELETE"; flow:established,to_server; uricontent:"/system/index.php?"; nocase; uricontent:"PHPSESSID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004727; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Audins; sid:2004727; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ASCII"; flow:established,to_server; uricontent:"/system/index.php?"; nocase; uricontent:"PHPSESSID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004728; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Audins; sid:2004728; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE"; flow:established,to_server; uricontent:"/system/index.php?"; nocase; uricontent:"PHPSESSID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Audins; sid:2004729; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Auto Listings Script moreinfo.php itemno Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/moreinfo.php?"; nocase; uricontent:"itemno="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32131; reference:url,milw0rm.com/exploits/7003; reference:url,doc.emergingthreats.net/2009186; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Auto_Listings; sid:2009186; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/_bot.php?"; nocase; uricontent:"master[currentskin]="; nocase; pcre:"/master\[currentskin\]\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/36354; reference:url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt; reference:url,doc.emergingthreats.net/2010198; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AutonomousLanParty; sid:2010198; rev:2;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Autos catid SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/searchresults.php?catid="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6696; reference:url,secunia.com/advisories/32139/; reference:url,doc.emergingthreats.net/2008650; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Autos; sid:2008650; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AvailScript Photo Album Script pics.php sid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/pics.php?"; nocase; uricontent:"sid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31085; reference:url,milw0rm.com/exploits/6411; reference:url,doc.emergingthreats.net/2009718; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AvailScript; sid:2009718; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/articles.php?"; nocase; uricontent:"aIDS="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-4371; reference:url,secunia.com/advisories/31816/; reference:url,milw0rm.com/exploits/6409; reference:url,doc.emergingthreats.net/2009747; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_AvailScript; sid:2009747; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; classtype:attempted-user; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Avaya; sid:2011681; rev:2;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"/awstats/awstats.pl?config="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert| $HTTP_SERVERS $HTTP_PORTS (msg: "ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats; sid:2001686; rev:14;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:" $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob SELECT"; flow:established,to_server; uricontent:"/publications_list.asp?"; nocase; uricontent:"vjob="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007452; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UNION SELECT"; flow:established,to_server; uricontent:"/publications_list.asp?"; nocase; uricontent:"vjob="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007453; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob INSERT"; flow:established,to_server; uricontent:"/publications_list.asp?"; nocase; uricontent:"vjob="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007454; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob DELETE"; flow:established,to_server; uricontent:"/publications_list.asp?"; nocase; uricontent:"vjob="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007455; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007455; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ASCII"; flow:established,to_server; uricontent:"/publications_list.asp?"; nocase; uricontent:"vjob="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007456; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE"; flow:established,to_server; uricontent:"/publications_list.asp?"; nocase; uricontent:"vjob="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007457; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007457; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID SELECT"; flow:established,to_server; uricontent:"/publication_view.asp?"; nocase; uricontent:"InfoID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007458; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UNION SELECT"; flow:established,to_server; uricontent:"/publication_view.asp?"; nocase; uricontent:"InfoID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007459; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007459; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID INSERT"; flow:established,to_server; uricontent:"/publication_view.asp?"; nocase; uricontent:"InfoID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007460; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007460; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID DELETE"; flow:established,to_server; uricontent:"/publication_view.asp?"; nocase; uricontent:"InfoID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007461; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ASCII"; flow:established,to_server; uricontent:"/publication_view.asp?"; nocase; uricontent:"InfoID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007462; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE"; flow:established,to_server; uricontent:"/publication_view.asp?"; nocase; uricontent:"InfoID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BPG_Infotech; sid:2007463; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"layout="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004331; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BP_Blog; sid:2004331; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"layout="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004332; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BP_Blog; sid:2004332; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"layout="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004333; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BP_Blog; sid:2004333; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"layout="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BP_Blog; sid:2004334; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"layout="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BP_Blog; sid:2004335; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"layout="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BP_Blog; sid:2004336; rev:5;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bahar Download Script aspkat.asp SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/aspkat.asp?kid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,31852; reference:url,doc.emergingthreats.net/2008724; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bahar; sid:2008724; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bandwebsite lyrics.php id parameter Sql Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lyrics.php?"; nocase; uricontent:"section=full"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7215; reference:bugtraq,32454; reference:url,doc.emergingthreats.net/2008896; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bandwebsite; sid:2008896; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/LSTable.php?"; nocase; uricontent:"class_dir="; nocase; pcre:"/class_dir=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,31419; reference:url,milw0rm.com/exploits/6575; reference:url,doc.emergingthreats.net/2009165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BarcodeGenerator; sid:2009165; rev:3;) #by mike cox alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_username)"; flow:established,to_server; uricontent:"/cgi-mod/index.cgi?"; nocase; uricontent:"backup_username="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_username=[^&\;]*[>\"]/iU"; classtype:web-application-attack; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Barracuda; sid:2010547; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_server)"; flow:established,to_server; uricontent:"/cgi-mod/index.cgi?"; nocase; uricontent:"backup_server="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_server=[^&\;]*[>\"]/iU"; classtype:web-application-attack; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Barracuda; sid:2010548; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_path)"; flow:established,to_server; uricontent:"/cgi-mod/index.cgi?"; nocase; uricontent:"backup_path="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_path=[^&\;]*[>\"]/iU"; classtype:web-application-attack; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010549; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Barracuda; sid:2010549; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_password)"; flow:established,to_server; uricontent:"/cgi-mod/index.cgi?"; nocase; uricontent:"backup_password="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_password=[^&\;]*[>\"]/iU"; classtype:web-application-attack; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010550; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Barracuda; sid:2010550; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/main.inc.php?"; nocase; uricontent:"mj_config[src_path]="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009195; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basebuilder; sid:2009195; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/main.inc.php?"; nocase; uricontent:"mj_config[src_path]="; nocase; pcre:"/mj_config\[src_path\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009196; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basebuilder; sid:2009196; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; uricontent:"/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basicforum; sid:2007211; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; uricontent:"/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007212; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basicforum; sid:2007212; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; uricontent:"/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007213; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basicforum; sid:2007213; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; uricontent:"/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007214; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basicforum; sid:2007214; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; uricontent:"/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007215; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basicforum; sid:2007215; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; uricontent:"/edit.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Basicforum; sid:2007216; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath"; flow:established,to_server; uricontent:"/language/1/splash.lang.php?"; nocase; uricontent:"languagePath="; nocase; classtype:web-application-attack; reference:cve,CVE-2007-2663; reference:url,www.milw0rm.com/exploits/3909; reference:url,doc.emergingthreats.net/2003738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Beacon; sid:2003738; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/linkadmin.php?"; nocase; uricontent:"page="; nocase; pcre:"/page=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Beerwins; sid:2009364; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin edlink.php linkid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/edlink.php?"; nocase; uricontent:"linkid"; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009365; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Beerwins; sid:2009365; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot"; flow:established,to_server; uricontent:"/berylium-classes.php?"; nocase; uricontent:"beryliumroot="; nocase; classtype:web-application-attack; reference:cve,CVE-2007-2531; reference:url,www.milw0rm.com/exploits/3869; reference:url,doc.emergingthreats.net/2003677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Berylium2; sid:2003677; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter projects.php idp Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/reports/projects.php?"; nocase; uricontent:"idp="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009740; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BibCiter; sid:2009740; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter contacts.php idc Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/reports/contacts.php?"; nocase; uricontent:"idc="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009741; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BibCiter; sid:2009741; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter users.php idu Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/reports/users.php?"; nocase; uricontent:"idu="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009742; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BibCiter; sid:2009742; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/block_center_down.php?"; nocase; uricontent:"row_mysql_blocks_center_down[file]="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BlogPlus; sid:2009417; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/block_center_top.php?"; nocase; uricontent:"row_mysql_blocks_center_top[file]="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BlogPlus; sid:2009418; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/block_left.php?"; nocase; uricontent:"row_mysql_blocks_left[file]="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BlogPlus; sid:2009420; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/block_right.php?"; nocase; uricontent:"row_mysql_blocks_right[file]="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BlogPlus; sid:2009421; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/window_down.php?"; nocase; uricontent:"row_mysql_bloginfo[theme]="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BlogPlus; sid:2009422; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/window_top.php?"; nocase; uricontent:"row_mysql_bloginfo[theme]="; nocase; content:"../"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BlogPlus; sid:2009423; rev:3;) #by Jamie Thinglestad alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; classtype:web-application-attack; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; reference:url,doc.emergingthreats.net/2002069; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BlogSpam; sid:2002069; rev:7;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/search.5.html?search="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/36700/info; reference:url,doc.emergingthreats.net/2010147; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bloofox; sid:2010147; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php SELECT"; flow:established,to_server; uricontent:"/bt-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006333; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bluetrait; sid:2006333; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/bt-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bluetrait; sid:2006334; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php INSERT"; flow:established,to_server; uricontent:"/bt-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bluetrait; sid:2006335; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php DELETE"; flow:established,to_server; uricontent:"/bt-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bluetrait; sid:2006336; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php ASCII"; flow:established,to_server; uricontent:"/bt-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bluetrait; sid:2006337; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE"; flow:established,to_server; uricontent:"/bt-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006338; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bluetrait; sid:2006338; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"blog="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2932; reference:url,www.securityfocus.com/bid/24156; reference:url,doc.emergingthreats.net/2004583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BoastMachine; sid:2004583; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd SELECT"; flow:established,to_server; uricontent:"/admin/config.php?"; nocase; uricontent:"sqlcmd="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bookmark4U; sid:2004828; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UNION SELECT"; flow:established,to_server; uricontent:"/admin/config.php?"; nocase; uricontent:"sqlcmd="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004829; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bookmark4U; sid:2004829; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd INSERT"; flow:established,to_server; uricontent:"/admin/config.php?"; nocase; uricontent:"sqlcmd="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004830; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bookmark4U; sid:2004830; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd DELETE"; flow:established,to_server; uricontent:"/admin/config.php?"; nocase; uricontent:"sqlcmd="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bookmark4U; sid:2004831; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd ASCII"; flow:established,to_server; uricontent:"/admin/config.php?"; nocase; uricontent:"sqlcmd="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004832; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bookmark4U; sid:2004832; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE"; flow:established,to_server; uricontent:"/admin/config.php?"; nocase; uricontent:"sqlcmd="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004833; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Bookmark4U; sid:2004833; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/HTMLSax3.php?"; nocase; uricontent:"dir[plugins]="; nocase; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Boonex; sid:2009370; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/safehtml.php?"; nocase; uricontent:"dir[plugins]="; nocase; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009371; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Boonex; sid:2009371; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/inc/content.inc.php?"; nocase; uricontent:"sIncPath="; nocase; pcre:"/sIncPath=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009372; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Boonex; sid:2009372; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"style="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004023; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004023; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"style="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004024; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"style="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004025; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"style="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004026; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004026; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"style="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004027; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004027; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"style="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004028; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"langue="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004029; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004029; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"langue="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004030; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004030; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"langue="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004031; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"langue="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004032; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"langue="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004033; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE"; flow:established,to_server; uricontent:"/account_change.php?"; nocase; uricontent:"langue="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtiTracker; sid:2004034; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by SELECT"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"by="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004985; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004985; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UNION SELECT"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"by="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004986; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004986; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by INSERT"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"by="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004987; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004987; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by DELETE"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"by="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004988; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004988; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by ASCII"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"by="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004989; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004989; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"by="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004990; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order SELECT"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004991; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UNION SELECT"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"order="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004992; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order INSERT"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"order="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004993; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004993; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order DELETE"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"order="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004994; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order ASCII"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004995; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE"; flow:established,to_server; uricontent:"/torrents.php?"; nocase; uricontent:"order="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_BtitTracker; sid:2004996; rev:5;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Built2go Real Estate Listings event_id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/event_detail.php?event_id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/6697; reference:url,secunia.com/Advisories/32129/; reference:url,doc.emergingthreats.net/2008653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Built2go; sid:2008653; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id SELECT"; flow:established,to_server; uricontent:"/bry.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003776; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2003776; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UNION SELECT"; flow:established,to_server; uricontent:"/bry.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003777; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2003777; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id INSERT"; flow:established,to_server; uricontent:"/bry.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003778; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2003778; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id DELETE"; flow:established,to_server; uricontent:"/bry.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003779; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2003779; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id ASCII"; flow:established,to_server; uricontent:"/bry.asp?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2003780; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE"; flow:established,to_server; uricontent:"/bry.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003781; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2003781; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid SELECT"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006249; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006249; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UNION SELECT"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006250; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006250; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid INSERT"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006251; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid DELETE"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006252; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006252; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ASCII"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006253; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006254; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id SELECT"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006255; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UNION SELECT"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006256; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id INSERT"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006257; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id DELETE"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006258; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ASCII"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006259; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE"; flow:established,to_server; uricontent:"/HABERLER.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006260; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id SELECT"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006261; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UNION SELECT"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006262; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id INSERT"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006263; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id DELETE"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006264; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ASCII"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006265; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006266; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid SELECT"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006267; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UNION SELECT"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006268; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid INSERT"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006269; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid DELETE"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006270; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ASCII"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006271; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE"; flow:established,to_server; uricontent:"/ASPKAT.ASP?"; nocase; uricontent:"kid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006272; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; uricontent:"/down.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006273; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; uricontent:"/down.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006274; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; uricontent:"/down.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006275; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; uricontent:"/down.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006276; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; uricontent:"/down.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006277; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; uricontent:"/down.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Burak; sid:2006278; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/spaw_control.class.php?"; nocase; uricontent:"spaw_root="; nocase; content:"../"; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/43536; reference:bugtraq,30042; reference:url,milw0rm.com/exploits/5983; reference:url,doc.emergingthreats.net/2009429; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CAT2; sid:2009429; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CF_Calendar calid parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/calendarevent.cfm?"; nocase; uricontent:"calid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33074/; reference:url,milw0rm.com/exploits/7413; reference:url,doc.emergingthreats.net/2008995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CF_Calendar; sid:2008995; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX"; flow:established,to_server; uricontent:"/mtdialogo.php?"; nocase; uricontent:"pathCGX="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CGX; sid:2003726; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX"; flow:established,to_server; uricontent:"/ltdialogo.php?"; nocase; uricontent:"pathCGX="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003727; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CGX; sid:2003727; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX"; flow:established,to_server; uricontent:"/login.php?"; nocase; uricontent:"pathCGX="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CGX; sid:2003729; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX"; flow:established,to_server; uricontent:"/inc/logingecon.php?"; nocase; uricontent:"pathCGX="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003728; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CGX; sid:2003728; rev:6;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir"; flow:established,to_server; uricontent:"/pcltrace.lib.php?"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2660; reference:url,www.milw0rm.com/exploits/3915; reference:url,doc.emergingthreats.net/2003737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CJG_Explorer; sid:2003737; rev:6;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Faethon info.php item Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/info.php?"; nocase; uricontent:"item="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33775; reference:url,milw0rm.com/exploits/8054; reference:url,doc.emergingthreats.net/2009192; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Faethon; sid:2009192; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid SELECT"; flow:established,to_server; uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid="; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003794; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Made_Simple; sid:2003794; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UNION SELECT"; flow:established,to_server; uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003795; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Made_Simple; sid:2003795; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid INSERT"; flow:established,to_server; uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003796; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Made_Simple; sid:2003796; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid DELETE"; flow:established,to_server; uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003865; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Made_Simple; sid:2003865; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid ASCII"; flow:established,to_server; uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003797; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Made_Simple; sid:2003797; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE"; flow:established,to_server; uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Made_Simple; sid:2003798; rev:6;) #by Nagraj S alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"id_menu="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/id_menu\x3d.+DELETE.+FROM/Ui";classtype:web-application-attack; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009977; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMScontrol; sid:2009977; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"id_menu="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/id_menu\x3d.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMScontrol; sid:2009978; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"id_menu=";nocase;uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/id_menu\x3d.+UPDATE.+SET/Ui";classtype:web-application-attack; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009979; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMScontrol; sid:2009979; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"id_menu="; nocase; uricontent:"SELECT"; nocase; pcre:"/id_menu\x3d.+UNION.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMScontrol; sid:2009980; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/plugins/csstidy/css_optimiser.php?"; nocase; uricontent:"url="; nocase; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/40515/; reference:url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html; reference:url,doc.emergingthreats.net/2011383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CSSTidy; sid:2011383; rev:2;) #By David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CSV-DB CSV_DB.CGI Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/cgi-bin/csv_db.cgi?"; nocase; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14059; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2002066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CSV-DB; sid:2002066; rev:6;) # Submitted by Mark Tombaugh, 2005/07/18 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack"; flow:established,to_server; content:"GET "; depth:4; nocase; pcre:"/(config_settings|top_graph_header)\.php\?.*=(http|https)\:\//Ui"; classtype:web-application-activity; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; reference:url,doc.emergingthreats.net/2002129; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2002129; rev:10;) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti graph_image.php Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/graph_image.php?"; nocase; pcre:"/(graph_start=%0a.+%0a)/i"; reference:cve,CAN-2005-1524; reference:bugtraq,14129; reference:bugtraq,14042; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2002313; rev:9;) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt"; flow:to_server,established; uricontent:"/cmd.php?"; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; reference:cve,CVE-2006-6799; reference:bugtraq,21799; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2003334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2003334; rev:6;) #by Akash Mahajan of stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT"; flow:established,to_server; uricontent:"graph_view.php?"; nocase; uricontent:"graph_list="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007889; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007889; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list INSERT"; flow:established,to_server; uricontent:"graph_view.php?"; nocase; uricontent:"graph_list="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007890; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007890; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list DELETE"; flow:established,to_server; uricontent:"graph_view.php?"; nocase; uricontent:"graph_list="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007891; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007891; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE"; flow:established,to_server; uricontent:"graph_view.php?"; nocase; uricontent:"graph_list="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007892; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id SELECT"; flow:established,to_server; uricontent:"tree.php?"; nocase; uricontent:"leaf_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007893; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007893; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT"; flow:established,to_server; uricontent:"tree.php?"; nocase; uricontent:"leaf_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007894; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id INSERT"; flow:established,to_server; uricontent:"tree.php?"; nocase; uricontent:"leaf_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007895; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id DELETE"; flow:established,to_server; uricontent:"tree.php?"; nocase; uricontent:"leaf_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007896; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007896; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE"; flow:established,to_server; uricontent:"tree.php?"; nocase; uricontent:"leaf_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cacti; sid:2007897; rev:6;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/cacti/utilities.php"; nocase; uricontent:"tail_lines="; nocase; uricontent:"message_type="; nocase; uricontent:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:cve,2010-2544; reference:cve,2010-2545; sid:2011423; rev:1;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs"; flow:established,to_server; uricontent:"/cand_login.asp?"; nocase; uricontent:"strJobIDs="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2818; reference:url,www.securityfocus.com/bid/24078; reference:url,doc.emergingthreats.net/2004559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CactuSoft; sid:2004559; rev:5;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt"; flow:established,to_server; uricontent:"_invoice.asp"; nocase; uricontent:"script>"; nocase; pcre:"/(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url,www.coresecurity.com/content/cactushop-xss-persistent-vulnerability; reference:cve,2010-1486; reference:url,doc.emergingthreats.net/2011054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cactushop; sid:2011054; rev:2;) #by Stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (dish.php)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/dish.php"; nocase; uricontent:"?id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008679; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CafeEngine; sid:2008679; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (menu.php)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/menu.php"; nocase; uricontent:"?id="; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008680; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CafeEngine; sid:2008680; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID SELECT"; flow:established,to_server; uricontent:"/calendar_detail.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006165; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006165; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/calendar_detail.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006166; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006166; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID INSERT"; flow:established,to_server; uricontent:"/calendar_detail.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006167; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID DELETE"; flow:established,to_server; uricontent:"/calendar_detail.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006168; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006168; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ASCII"; flow:established,to_server; uricontent:"/calendar_detail.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006169; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006169; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE"; flow:established,to_server; uricontent:"/calendar_detail.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006170; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID SELECT"; flow:established,to_server; uricontent:"/admin/admin_mail_adressee.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006183; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006183; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/admin/admin_mail_adressee.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006184; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006184; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID INSERT"; flow:established,to_server; uricontent:"/admin/admin_mail_adressee.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006185; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006185; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID DELETE"; flow:established,to_server; uricontent:"/admin/admin_mail_adressee.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006186; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006186; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ASCII"; flow:established,to_server; uricontent:"/admin/admin_mail_adressee.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006187; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006187; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE"; flow:established,to_server; uricontent:"/admin/admin_mail_adressee.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006188; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Calendar_MX; sid:2006188; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand"; flow:established,to_server; uricontent:"/scripts/prodList.asp?"; nocase; uricontent:"brand="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2004569; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg"; flow:established,to_server; uricontent:"/scripts/prodList.asp?"; nocase; uricontent:"Msg="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2004570; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy SELECT"; flow:established,to_server; uricontent:"/openPolicy.asp?"; nocase; uricontent:"policy="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007464; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UNION SELECT"; flow:established,to_server; uricontent:"/openPolicy.asp?"; nocase; uricontent:"policy="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007465; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy INSERT"; flow:established,to_server; uricontent:"/openPolicy.asp?"; nocase; uricontent:"policy="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007466; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy DELETE"; flow:established,to_server; uricontent:"/openPolicy.asp?"; nocase; uricontent:"policy="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007467; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ASCII"; flow:established,to_server; uricontent:"/openPolicy.asp?"; nocase; uricontent:"policy="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007468; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007468; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE"; flow:established,to_server; uricontent:"/openPolicy.asp?"; nocase; uricontent:"policy="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007469; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand SELECT"; flow:established,to_server; uricontent:"/prodList.asp?"; nocase; uricontent:"brand="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007470; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UNION SELECT"; flow:established,to_server; uricontent:"/prodList.asp?"; nocase; uricontent:"brand="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007471; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand INSERT"; flow:established,to_server; uricontent:"/prodList.asp?"; nocase; uricontent:"brand="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007472; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand DELETE"; flow:established,to_server; uricontent:"/prodList.asp?"; nocase; uricontent:"brand="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007473; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand ASCII"; flow:established,to_server; uricontent:"/prodList.asp?"; nocase; uricontent:"brand="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007474; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE"; flow:established,to_server; uricontent:"/prodList.asp?"; nocase; uricontent:"brand="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CandyPress; sid:2007475; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Check New findoffice.php search parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/findoffice.php?"; nocase; uricontent:"search="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7328; reference:bugtraq,32590; reference:url,doc.emergingthreats.net/2008933; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CheckNew; sid:2008933; rev:3;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; uricontent:"/+webvpn+/index.html"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; reference:url,doc.emergingthreats.net/2010505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cisco; sid:2010505; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"/ekgnkm/AccessCodeStart.asp"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cisco; sid:2010506; rev:3;) #kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/webline/html/admin/wcs/LoginPage.jhtml"; nocase; uricontent:"dest="; nocase; pcre:"/dest\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url,www.exploit-db.com/exploits/11403/; reference:cve,2010-0641; reference:url,doc.emergingthreats.net/2011676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cisco; sid:2011676; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Cisco IOS HTTP Server Cross Site Scripting Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ping?"; nocase; pcre:"/ping.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; classtype:web-application-attack; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17364; reference:url,www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html; reference:cve,2008-3821; reference:url,doc.emergingthreats.net/2011189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cisco; sid:2011189; rev:2;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"|0D 0A|Location|3A|"; nocase; classtype:web-application-attack; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; reference:url,doc.emergingthreats.net/2011763; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CiscoPix; sid:2011763; rev:2;) #by Wolvee alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config/edituser.php?"; nocase; uricontent:"username="; nocase; uricontent:"script"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Citrix; sid:2009590; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/console.php?"; nocase; uricontent:"location="; nocase; uricontent:"vmname="; nocase;uricontent:"script"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009591; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Citrix; sid:2009591; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/forcesd.php?"; nocase; uricontent:"vmrefid="; nocase; uricontent:"vmname="; nocase;uricontent:"script"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009592; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Citrix; sid:2009592; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/forcerestart.php?"; nocase; uricontent:"vmrefid="; nocase; uricontent:"vmname="; nocase;uricontent:"script"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Citrix; sid:2009593; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb changepw.php CSRF attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config/changepw.php?"; nocase; uricontent:"username="; nocase; uricontent:"&newpass="; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Citrix; sid:2009594; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb hardstopvm.php CSRF attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"hardstopvm.php?"; nocase; uricontent:"stop_vmref="; nocase; uricontent:"&stop_vmname="; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Citrix; sid:2009595; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb writeconfig.php Remote Command Execution attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"writeconfig.php?"; nocase; uricontent:"pool1="; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Citrix; sid:2009596; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter Information Disclosure"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/scripts/export.php?"; nocase; content:"ftype="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,secunia.com/advisories/33222; reference:bugtraq,32929; reference:url,doc.emergingthreats.net/2009009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClaSS; sid:2009009; rev:3;) #by mike cox alert tcp $EXTERNAL_NET any -> $HOME_NET 82 (msg:"ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt"; flow:established,to_server; content:"GET"; content:"script"; nocase; content:"/proxy.php?"; nocase; content:"url="; nocase; pcre:"/\/proxy\.php(\?|.*[\x26\x3B])url=[^&\;\x0D\x0A]*[<>\"\']/i"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37446/info; reference:url,doc.emergingthreats.net/2010602; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClarkConnect; sid:2010602; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/install.clickheat.php?"; nocase;uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009754; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClickHeat; sid:2009754; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/heatmap/_main.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009755; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClickHeat; sid:2009755; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/heatmap/main.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009756; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClickHeat; sid:2009756; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Clickheat/Cache.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009757; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClickHeat; sid:2009757; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Clickheat_Heatmap.php?"; nocase;uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009758; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClickHeat; sid:2009758; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/GlobalVariables.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui";classtype:web-application-attack; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009759; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClickHeat; sid:2009759; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/overview/main.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009760; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClickHeat; sid:2009760; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date SELECT"; flow:established,to_server; uricontent:"/displayCalendar.asp?"; nocase; uricontent:"date="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007223; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007223; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UNION SELECT"; flow:established,to_server; uricontent:"/displayCalendar.asp?"; nocase; uricontent:"date="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007224; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007224; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date INSERT"; flow:established,to_server; uricontent:"/displayCalendar.asp?"; nocase; uricontent:"date="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007225; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007225; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date DELETE"; flow:established,to_server; uricontent:"/displayCalendar.asp?"; nocase; uricontent:"date="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007226; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007226; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ASCII"; flow:established,to_server; uricontent:"/displayCalendar.asp?"; nocase; uricontent:"date="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007227; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007227; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE"; flow:established,to_server; uricontent:"/displayCalendar.asp?"; nocase; uricontent:"date="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007228; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage SELECT"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007229; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007229; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UNION SELECT"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007230; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007230; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage INSERT"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007231; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007231; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage DELETE"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007232; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007232; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ASCII"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007233; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007234; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id SELECT"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"gallery_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007235; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UNION SELECT"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"gallery_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007236; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007236; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id INSERT"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"gallery_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007237; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id DELETE"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"gallery_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007238; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007238; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ASCII"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"gallery_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007239; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007239; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE"; flow:established,to_server; uricontent:"/view_gallery.asp?"; nocase; uricontent:"gallery_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007240; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id SELECT"; flow:established,to_server; uricontent:"/download_image.asp?"; nocase; uricontent:"image_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007241; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UNION SELECT"; flow:established,to_server; uricontent:"/download_image.asp?"; nocase; uricontent:"image_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007242; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007242; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id INSERT"; flow:established,to_server; uricontent:"/download_image.asp?"; nocase; uricontent:"image_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007243; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id DELETE"; flow:established,to_server; uricontent:"/download_image.asp?"; nocase; uricontent:"image_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007244; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007244; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ASCII"; flow:established,to_server; uricontent:"/download_image.asp?"; nocase; uricontent:"image_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007245; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007245; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE"; flow:established,to_server; uricontent:"/download_image.asp?"; nocase; uricontent:"image_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007246; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007246; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage SELECT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007247; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007247; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UNION SELECT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007248; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007248; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage INSERT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007249; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007249; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage DELETE"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007250; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007250; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ASCII"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007251; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007252; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007252; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby SELECT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007253; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UNION SELECT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007254; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby INSERT"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007255; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby DELETE"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007256; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ASCII"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007257; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE"; flow:established,to_server; uricontent:"/gallery.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007258; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage SELECT"; flow:established,to_server; uricontent:"/view_recent.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007259; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UNION SELECT"; flow:established,to_server; uricontent:"/view_recent.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007260; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage INSERT"; flow:established,to_server; uricontent:"/view_recent.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007261; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage DELETE"; flow:established,to_server; uricontent:"/view_recent.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007262; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ASCII"; flow:established,to_server; uricontent:"/view_recent.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007263; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE"; flow:established,to_server; uricontent:"/view_recent.asp?"; nocase; uricontent:"currentpage="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007264; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"AlphaSort="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007265; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"AlphaSort="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007266; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"AlphaSort="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007267; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"AlphaSort="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007268; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"AlphaSort="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007269; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"AlphaSort="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007270; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"In="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007271; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"In="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007272; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"In="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007273; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"In="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007274; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"In="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007275; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"In="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007276; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007277; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007278; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007279; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007280; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007281; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Clicktech; sid:2007282; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ticketID="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClientExec; sid:2004566; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"view="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClientExec; sid:2004567; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"fuse="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClientExec; sid:2004568; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClipShare Pro channel_detail.php chid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/channel_detail.php?"; nocase; uricontent:"chid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32311; reference:url,milw0rm.com/exploits/7128; reference:url,doc.emergingthreats.net/2008866; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClipSharePro; sid:2008866; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"query="; nocase; uricontent:"script"; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-2913; reference:url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded; reference:url,doc.emergingthreats.net/2004591; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ClonusWiki; sid:2004591; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID SELECT"; flow:established,to_server; uricontent:"/inc_listnews.asp?"; nocase; uricontent:"CAT_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004875; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeAvalance; sid:2004875; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UNION SELECT"; flow:established,to_server; uricontent:"/inc_listnews.asp?"; nocase; uricontent:"CAT_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004876; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeAvalance; sid:2004876; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID INSERT"; flow:established,to_server; uricontent:"/inc_listnews.asp?"; nocase; uricontent:"CAT_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeAvalance; sid:2004877; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID DELETE"; flow:established,to_server; uricontent:"/inc_listnews.asp?"; nocase; uricontent:"CAT_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004878; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeAvalance; sid:2004878; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ASCII"; flow:established,to_server; uricontent:"/inc_listnews.asp?"; nocase; uricontent:"CAT_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004879; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeAvalance; sid:2004879; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE"; flow:established,to_server; uricontent:"/inc_listnews.asp?"; nocase; uricontent:"CAT_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004880; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeAvalance; sid:2004880; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeIgniter DB_active_rec.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/system/database/DB_active_rec.php?"; nocase; uricontent:"BASEPATH="; nocase; pcre:"/BASEPATH=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,38672; reference:url,inj3ct0r.com/exploits/10886; reference:url,doc.emergingthreats.net/2011319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeIgniter; sid:2011319; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeIgniter DB_driver.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/system/database/DB_driver.php?"; nocase; uricontent:"BASEPATH="; nocase; pcre:"/BASEPATH=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,38672; reference:url,inj3ct0r.com/exploits/10886; reference:url,doc.emergingthreats.net/2011320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CodeIgniter; sid:2011320; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct SELECT"; flow:established,to_server; uricontent:"/comersus_optReviewReadExec.asp?"; nocase; uricontent:"idProduct="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Comersus; sid:2006504; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UNION SELECT"; flow:established,to_server; uricontent:"/comersus_optReviewReadExec.asp?"; nocase; uricontent:"idProduct="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Comersus; sid:2006505; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct INSERT"; flow:established,to_server; uricontent:"/comersus_optReviewReadExec.asp?"; nocase; uricontent:"idProduct="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Comersus; sid:2006506; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct DELETE"; flow:established,to_server; uricontent:"/comersus_optReviewReadExec.asp?"; nocase; uricontent:"idProduct="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Comersus; sid:2006507; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ASCII"; flow:established,to_server; uricontent:"/comersus_optReviewReadExec.asp?"; nocase; uricontent:"idProduct="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Comersus; sid:2006508; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE"; flow:established,to_server; uricontent:"/comersus_optReviewReadExec.asp?"; nocase; uricontent:"idProduct="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Comersus; sid:2006509; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"epi="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004635; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComicSense_Portal; sid:2004635; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"epi="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComicSense_Portal; sid:2004636; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"epi="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004637; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComicSense_Portal; sid:2004637; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"epi="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComicSense_Portal; sid:2004638; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"epi="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComicSense_Portal; sid:2004639; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"epi="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComicSense_Portal; sid:2004640; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CommonSpot Server longproc.cfm Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"/commonspot/utilities/longproc.cfm?"; nocase; uricontent:"onlyurlvars="; nocase; uricontent:"url="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert| $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Community CMS view.php article_id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view.php?"; nocase; uricontent:"article_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,34303; reference:url,milw0rm.com/exploits/8323; reference:url,doc.emergingthreats.net/2009787; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Community_CMS; sid:2009787; rev:3;) #By David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Community Link Pro Login.CGI Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/login.cgi?"; nocase; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14097; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Community_Link; sid:2002067; rev:6;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/siteminderagent/forms/smpwservices.fcc"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; classtype:web-application-attack; reference:cve,2007-5923; reference:url,www.securityfocus.com/bid/26375/info; reference:url,doc.emergingthreats.net/2010200; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ComputerAssociates; sid:2010200; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comtrend ADSL Router srvName parameter XSS attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/scvrtsrv.cmd?"; nocase; uricontent:"srvName="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";classtype:web-application-attack; reference:url,packetstorm.foofus.com/1001-exploits/comtrend-xss.txt;reference:url,xforce.iss.net/xforce/xfdb/47765; reference:url,doc.emergingthreats.net/2011019; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Comtrend; sid:2011019; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/header.php?"; nocase; uricontent:"sections_file="; nocase; pcre:"/sections_file=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,31461; reference:url,milw0rm.com/exploits/6598; reference:url,doc.emergingthreats.net/2009166; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Concord_Consortium; sid:2009166; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"uploadimage="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004705; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"uploadimage="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004706; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004706; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"uploadimage="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004707; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004707; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"uploadimage="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004708; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"uploadimage="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004709; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004709; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"uploadimage="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004710; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"p_skin="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004711; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"p_skin="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004712; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004712; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"p_skin="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004713; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004713; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"p_skin="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004714; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004714; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"p_skin="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004715; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004715; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"p_skin="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004716; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Connectix_Portal; sid:2004716; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/verify/asp/n6plugindestructor.asp?"; nocase; uricontent:"backurl="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:bugtraq,39999; reference:url,juniper.net/security/auto/vulnerabilities/vuln39999.html; reference:url,doc.emergingthreats.net/2011152; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Consona; sid:2011152; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pageid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ContentNow; sid:2007336; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pageid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ContentNow; sid:2007337; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pageid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007338; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ContentNow; sid:2007338; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pageid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ContentNow; sid:2007339; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pageid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ContentNow; sid:2007340; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"pageid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_ContentNow; sid:2007341; rev:4;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id SELECT"; flow:established,to_server; uricontent:"/haber.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Contra_Haber; sid:2006303; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UNION SELECT"; flow:established,to_server; uricontent:"/haber.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Contra_Haber; sid:2006304; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id INSERT"; flow:established,to_server; uricontent:"/haber.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006305; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Contra_Haber; sid:2006305; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id DELETE"; flow:established,to_server; uricontent:"/haber.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Contra_Haber; sid:2006306; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ASCII"; flow:established,to_server; uricontent:"/haber.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Contra_Haber; sid:2006307; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE"; flow:established,to_server; uricontent:"/haber.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Contra_Haber; sid:2006308; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav SELECT"; flow:established,to_server; uricontent:"/thumbnails.php?"; nocase; uricontent:"cpg131_fav="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2004809; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UNION SELECT"; flow:established,to_server; uricontent:"/thumbnails.php?"; nocase; uricontent:"cpg131_fav="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2004810; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav INSERT"; flow:established,to_server; uricontent:"/thumbnails.php?"; nocase; uricontent:"cpg131_fav="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2004811; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav DELETE"; flow:established,to_server; uricontent:"/thumbnails.php?"; nocase; uricontent:"cpg131_fav="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004812; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2004812; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ASCII"; flow:established,to_server; uricontent:"/thumbnails.php?"; nocase; uricontent:"cpg131_fav="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004813; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2004813; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE"; flow:established,to_server; uricontent:"/thumbnails.php?"; nocase; uricontent:"cpg131_fav="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2004815; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat SELECT"; flow:established,to_server; uricontent:"/albmgr.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005841; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005841; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UNION SELECT"; flow:established,to_server; uricontent:"/albmgr.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005842; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005842; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT"; flow:established,to_server; uricontent:"/albmgr.php?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005843; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat DELETE"; flow:established,to_server; uricontent:"/albmgr.php?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005844; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005844; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ASCII"; flow:established,to_server; uricontent:"/albmgr.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005845; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005845; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE"; flow:established,to_server; uricontent:"/albmgr.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005846; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005846; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid SELECT"; flow:established,to_server; uricontent:"/usermgr.php?"; nocase; uricontent:"gid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005847; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005847; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UNION SELECT"; flow:established,to_server; uricontent:"/usermgr.php?"; nocase; uricontent:"gid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005848; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005848; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid INSERT"; flow:established,to_server; uricontent:"/usermgr.php?"; nocase; uricontent:"gid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005849; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005849; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE"; flow:established,to_server; uricontent:"/usermgr.php?"; nocase; uricontent:"gid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005850; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005850; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ASCII"; flow:established,to_server; uricontent:"/usermgr.php?"; nocase; uricontent:"gid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005851; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005851; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE"; flow:established,to_server; uricontent:"/usermgr.php?"; nocase; uricontent:"gid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005852; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005852; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start SELECT"; flow:established,to_server; uricontent:"/db_ecard.php?"; nocase; uricontent:"start="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005853; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005853; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UNION SELECT"; flow:established,to_server; uricontent:"/db_ecard.php?"; nocase; uricontent:"start="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005854; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005854; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start INSERT"; flow:established,to_server; uricontent:"/db_ecard.php?"; nocase; uricontent:"start="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005855; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005855; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start DELETE"; flow:established,to_server; uricontent:"/db_ecard.php?"; nocase; uricontent:"start="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005856; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ASCII"; flow:established,to_server; uricontent:"/db_ecard.php?"; nocase; uricontent:"start="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005857; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005857; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE"; flow:established,to_server; uricontent:"/db_ecard.php?"; nocase; uricontent:"start="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Coppermine_Photo_Gallery; sid:2005858; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/footer.php?"; nocase; uricontent:"footer_file="; nocase; pcre:"/footer_file=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,31217; reference:url,milw0rm.com/exploits/6475; reference:url,doc.emergingthreats.net/2009793; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Crawler; sid:2009793; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id SELECT"; flow:established,to_server; uricontent:"/error.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003752; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Creascripts; sid:2003752; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UNION SELECT"; flow:established,to_server; uricontent:"/error.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003753; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Creascripts; sid:2003753; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id INSERT"; flow:established,to_server; uricontent:"/error.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003754; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Creascripts; sid:2003754; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id DELETE"; flow:established,to_server; uricontent:"/error.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003755; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Creascripts; sid:2003755; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id ASCII"; flow:established,to_server; uricontent:"/error.asp?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003756; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Creascripts; sid:2003756; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE"; flow:established,to_server; uricontent:"/error.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003757; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Creascripts; sid:2003757; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid SELECT"; flow:established,to_server; uricontent:"/cats.asp?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005859; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CreateAuction; sid:2005859; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UNION SELECT"; flow:established,to_server; uricontent:"/cats.asp?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CreateAuction; sid:2005860; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid INSERT"; flow:established,to_server; uricontent:"/cats.asp?"; nocase; uricontent:"catid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005861; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CreateAuction; sid:2005861; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid DELETE"; flow:established,to_server; uricontent:"/cats.asp?"; nocase; uricontent:"catid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005862; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CreateAuction; sid:2005862; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid ASCII"; flow:established,to_server; uricontent:"/cats.asp?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005863; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CreateAuction; sid:2005863; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE"; flow:established,to_server; uricontent:"/cats.asp?"; nocase; uricontent:"catid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CreateAuction; sid:2005864; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Business Objects Crystal Reports Web Form Viewer Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/crystalreportviewers/crystalimagehandler.aspx?"; nocase; uricontent:"dynamicimage="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,secunia.com/advisories/11803/; reference:bugtraq,10260; reference:url,doc.emergingthreats.net/2011113; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CrystalReports; sid:2011113; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php SELECT"; flow:established,to_server; uricontent:"/cart.inc.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004035; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CubeCart; sid:2004035; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UNION SELECT"; flow:established,to_server; uricontent:"/cart.inc.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CubeCart; sid:2004036; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php INSERT"; flow:established,to_server; uricontent:"/cart.inc.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CubeCart; sid:2004037; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php DELETE"; flow:established,to_server; uricontent:"/cart.inc.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CubeCart; sid:2004038; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII"; flow:established,to_server; uricontent:"/cart.inc.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CubeCart; sid:2004039; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE"; flow:established,to_server; uricontent:"/cart.inc.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CubeCart; sid:2004040; rev:5;) # By David Maciejak, 2005-11-03 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; uricontent:"/show_news.php"; nocase; uricontent:"template="; nocase; pcre:"/template=[./]+/Ui"; reference:bugtraq,15295; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CuteNews; sid:2002668; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; uricontent:"/show_archives.php"; nocase; uricontent:"template="; nocase; pcre:"/template=[./]+/Ui"; reference:bugtraq,15295; classtype: misc-activity; reference:url,doc.emergingthreats.net/2003152; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CuteNews; sid:2003152; rev:4;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/portfolio/css.php?"; nocase; uricontent:"theme="; nocase; content:"../"; classtype:web-application-attack; reference:cve,CVE-2008-6265; reference:bugtraq,32218; reference:url,vupen.com/english/advisories/2008/3070; reference:url,milw0rm.com/exploits/7065; reference:url,doc.emergingthreats.net/2009764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cyberfolio; sid:2009764; rev:3;) # Submitted by David Maciejak on 2005-11-15 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php?"; nocase; pcre:"/id=-?\d+\s+UNION\s+/Ui"; reference:bugtraq,15418; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2002678; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cyphor; sid:2002678; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; distance:0; pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; classtype:web-application-attack; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software; sid:2008789; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plus/feedback_js.php?"; nocase; uricontent:"arcurl="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DEDECMS; sid:2010271; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plus/feedback_js.php?"; nocase; uricontent:"arcurl="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DEDECMS; sid:2010272; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plus/feedback_js.php?"; nocase; uricontent:"arcurl="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DEDECMS; sid:2010273; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plus/feedback_js.php?"; nocase; uricontent:"arcurl="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DEDECMS; sid:2010274; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plus/feedback_js.php?"; nocase; uricontent:"arcurl="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DEDECMS; sid:2010275; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004083; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004083; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004084; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004085; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004085; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004086; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004086; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004087; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004088; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004088; rev:5;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004456; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004457; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004457; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004458; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004459; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004459; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004460; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004460; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004461; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright"; flow:established,to_server; uricontent:"/footer.php?"; nocase; uricontent:"copyright="; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-0694; reference:url,www.securityfocus.com/bid/24200; reference:url,doc.emergingthreats.net/2004584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004584; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; pcre:"/.*?.*<.+\/script>?/iU"; classtype:web-application-attack; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DGNews; sid:2004585; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dm-albums/template/album.php?"; nocase; uricontent:"SECURITY_FILE="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,secunia.com/advisories/35622/;reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMAlbums; sid:2010025; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dm-albums/template/album.php?"; nocase; uricontent:"SECURITY_FILE="; nocase; pcre:"/SECURITY_FILE=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010027; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMAlbums; sid:2010027; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"mid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004683; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2004683; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"mid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004684; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2004684; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"mid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004685; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2004685; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"mid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2004686; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"mid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004687; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2004687; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"mid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004688; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2004688; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp SELECT"; flow:established,to_server; uricontent:"/set_preferences.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006081; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006081; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UNION SELECT"; flow:established,to_server; uricontent:"/set_preferences.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006082; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006082; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp INSERT"; flow:established,to_server; uricontent:"/set_preferences.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006083; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006083; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp DELETE"; flow:established,to_server; uricontent:"/set_preferences.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006084; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp ASCII"; flow:established,to_server; uricontent:"/set_preferences.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006085; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006085; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE"; flow:established,to_server; uricontent:"/set_preferences.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006086; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006086; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp SELECT"; flow:established,to_server; uricontent:"/send_password_preferences.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006087; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT"; flow:established,to_server; uricontent:"/send_password_preferences.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006088; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006088; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp INSERT"; flow:established,to_server; uricontent:"/send_password_preferences.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006089; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006089; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp DELETE"; flow:established,to_server; uricontent:"/send_password_preferences.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006090; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp ASCII"; flow:established,to_server; uricontent:"/send_password_preferences.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006091; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE"; flow:established,to_server; uricontent:"/send_password_preferences.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006092; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp SELECT"; flow:established,to_server; uricontent:"/SecureLoginManager/list.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006093; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UNION SELECT"; flow:established,to_server; uricontent:"/SecureLoginManager/list.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006094; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006094; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp INSERT"; flow:established,to_server; uricontent:"/SecureLoginManager/list.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006095; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006095; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp DELETE"; flow:established,to_server; uricontent:"/SecureLoginManager/list.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006096; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006096; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp ASCII"; flow:established,to_server; uricontent:"/SecureLoginManager/list.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006097; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006097; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE"; flow:established,to_server; uricontent:"/SecureLoginManager/list.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006098; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006098; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006099; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UNION SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006100; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent INSERT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006101; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006101; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent DELETE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006102; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006102; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ASCII"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006103; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006103; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006104; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006104; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent SELECT"; flow:established,to_server; uricontent:"/content.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006105; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006105; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UNION SELECT"; flow:established,to_server; uricontent:"/content.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006106; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006106; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent INSERT"; flow:established,to_server; uricontent:"/content.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006107; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006107; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent DELETE"; flow:established,to_server; uricontent:"/content.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006108; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006108; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ASCII"; flow:established,to_server; uricontent:"/content.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006109; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006109; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE"; flow:established,to_server; uricontent:"/content.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006110; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006110; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent SELECT"; flow:established,to_server; uricontent:"/members.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006111; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006111; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UNION SELECT"; flow:established,to_server; uricontent:"/members.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006112; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006112; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent INSERT"; flow:established,to_server; uricontent:"/members.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006113; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006113; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent DELETE"; flow:established,to_server; uricontent:"/members.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006114; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ASCII"; flow:established,to_server; uricontent:"/members.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006115; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006115; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE"; flow:established,to_server; uricontent:"/members.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006116; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006116; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent SELECT"; flow:established,to_server; uricontent:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006117; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UNION SELECT"; flow:established,to_server; uricontent:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006118; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006118; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent INSERT"; flow:established,to_server; uricontent:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006119; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006119; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent DELETE"; flow:established,to_server; uricontent:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006120; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ASCII"; flow:established,to_server; uricontent:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006121; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006121; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE"; flow:established,to_server; uricontent:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; uricontent:"sent="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006122; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2006122; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Multiple Products upload_image_category.asp cid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/upload_image_category.asp?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33253; reference:url,xforce.iss.net/xforce/xfdb/47959; reference:url,milw0rm.com/exploits/7767; reference:url,doc.emergingthreats.net/2009739; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DMXReady; sid:2009739; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"ordernum="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DQOS; sid:2005895; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"ordernum="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005896; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DQOS; sid:2005896; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"ordernum="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DQOS; sid:2005897; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"ordernum="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005898; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DQOS; sid:2005898; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"ordernum="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005899; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DQOS; sid:2005899; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"ordernum="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DQOS; sid:2005900; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/boardrule.php?"; nocase; uricontent:"groupboardid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,36282; reference:url,doc.emergingthreats.net/2010259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DVBBS; sid:2010259; rev:2;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid"; flow:established,to_server; uricontent:"/loan.php?"; nocase; uricontent:"movieid="; nocase; uricontent:"script"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003920; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DVDdb; sid:2003920; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s"; flow:established,to_server; uricontent:"/listmovies.php?"; nocase; uricontent:"s="; nocase; uricontent:"script"; nocase; pcre:"/?.*<.+\/script>?/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003921; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DVDdb; sid:2003921; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/dfss/lgsl/lgsl_players.php?"; nocase; uricontent:"lgsl_path="; nocase; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DaFun; sid:2011099; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/dfss/lgsl/lgsl_settings.php?"; nocase; uricontent:"lgsl_path="; nocase; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DaFun; sid:2011100; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/engine/api/api.class.php?"; nocase; uricontent:"dle_config_api="; nocase; pcre:"/dle_config_api\s*=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html; reference:url,milw0rm.com/exploits/9572; reference:url,doc.emergingthreats.net/2010252; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Datalife; sid:2010252; rev:2;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DeZine DZcms products.php pcat parameter SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/products.php?"; nocase; uricontent:"pcat="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33194; reference:url,milw0rm.com/exploits/7722; reference:url,doc.emergingthreats.net/2009319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DeZine; sid:2009319; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/detail.php?"; nocase; uricontent:"siteid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,frsirt.com/english/advisories/2008/3079; reference:bugtraq,32191; reference:url,doc.emergingthreats.net/2008838; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DeltaScripts; sid:2008838; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DeluxeBB misc.php qorder Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/misc.php?"; nocase; uricontent:"sub=memberlist"; nocase; uricontent:"qorder="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,34174; reference:url,milw0rm.com/exploits/8240; reference:url,doc.emergingthreats.net/2009368; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DeluseBB; sid:2009368; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Demium CMS tracking.php follow_kat Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/tracking.php?"; nocase; uricontent:"follow_kat="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009323; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Demium; sid:2009323; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/urheber.php?"; nocase; uricontent:"name="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009324; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Demium; sid:2009324; rev:3;) #by tinytwitty alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; uricontent:"/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004834; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Design4Online; sid:2004834; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; uricontent:"/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004835; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Design4Online; sid:2004835; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; uricontent:"/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004836; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Design4Online; sid:2004836; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; uricontent:"/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004837; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Design4Online; sid:2004837; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; uricontent:"/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004838; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Design4Online; sid:2004838; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; uricontent:"/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004839; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Design4Online; sid:2004839; rev:5;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/don3_requiem.php?"; nocase; uricontent:"app_path="; nocase; pcre:"/app_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DesktopOnNet; sid:2009317; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/frontpage.php?"; nocase; uricontent:"app_path="; nocase; pcre:"/app_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DesktopOnNet; sid:2009318; rev:3;) #by stillsecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery cat_id paramter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gallery_category.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.c